MilkyDoor Android Trojan Accesses Corporate Networks

It’s been discovered that the MilkyDoor trojan, similar to DressCode, has been disguised as recreational applications in the Google Play store.

Threat ID:: CC-1351
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Download
Published:: 25 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

It’s been discovered that the MilkyDoor trojan, similar to DressCode, has been disguised as recreational applications in the Google Play store.

Affected platforms

The following platforms are known to be affected:

Android

All Android Devices

Threat details

MilkyDoor allows attackers to have access to internal networks and private servers.

When the android user downloads one of the rebranded apps the malware requests a third-party server to obtain the device’s local IP address, including country, city and its coordinates. It then uploads this information to its Command and Control (C2) server, which replies with data about a Secure Shell (SSH) password and host. MilkyDoor uses the SSH tunnel to send encrypted malicious traffic and payloads to a network.

As SSH tunnels uses Port 22, firewalls usually do not block traffic that goes through this port.

Once this has completed it provide access to a business’ corporate assets and data.

Remediation steps

Type	Step
	For an organisation to be protected against such threats, a robust policy on Bring Your Own Device (BYOD) and company issued devices should be implemented covering staff wishing to connect to the organisation’s Wi-Fi. Points to consider include: Ensure each device has the adequate level of security in order to protect the device; each device should have compulsory mobile security in order to be used for work purposes. Users should be encouraged to update their operating systems when patches and new operating systems are released. Beware of ‘rooting’ an android device. As well as enhanced privileges, rooting removes security restrictions and leaves the device more open to malware and other malicious code. An intrusion detection system (IDS) can identify unusual behaviours and communications in the organisation’s network.

Type

Step

For an organisation to be protected against such threats, a robust policy on Bring Your Own Device (BYOD) and company issued devices should be implemented covering staff wishing to connect to the organisation’s Wi-Fi.

Points to consider include:

Ensure each device has the adequate level of security in order to protect the device; each device should have compulsory mobile security in order to be used for work purposes.
Users should be encouraged to update their operating systems when patches and new operating systems are released.
Beware of ‘rooting’ an android device. As well as enhanced privileges, rooting removes security restrictions and leaves the device more open to malware and other malicious code.

An intrusion detection system (IDS) can identify unusual behaviours and communications in the organisation’s network.

Last edited: 17 February 2020 11:35 am