Brand new DressCode malware discovered in Android apps on the Google Play store

Malwares are generally not taken that seriously by many. Because perhaps they don’t poses a huge security risk when compared to loopholes or security exploits present in the OS. But malwares are a serious issue specially in the android world. Individuals with malicious intent will always target the most popular operating systems, and Android happens to just be the most popular of them all. The Check Point mobile threat prevention research team discovered a new Android malware on Google Play, called “DressCode,” which was embedded into more than 40 apps, and found in more than 400 additional apps on third party app stores.

Check Point notified Google about the malicious apps, and Google has removed the affected apps.

DressCode infected at least half a million Android devices

DressCode-infected apps were found uploaded on Google Play Store as far back as April 2016. According to Check Point researchers Alon Menczer and Alexander Lysunets, DressCode-infected malicious apps on Google Play were downloaded by 500,000 to 2,000,000 users, with some of the apps reaching between 100,000 and 500,000 downloads each.

One of the malicious apps on the Google Playstore

DressCode transforms infected devices in proxy servers

Check Point researchers said DressCode converts infected apps into proxy servers, thereby creating a botnet. Botnets are created by hackers to surreptitiously gain control over a bunch of devices. Bots can generally be used for a variety of purposes, including distributing phishing links, malware and ransomware. A botnet’s capabilities generally depends on its size, therefore, larger botnets come with more extensive capabilities.


The malware could be even more dangerous than that. “Since the malware allows the attacker to route communications through the victim’s device, the attacker can access any internal network to which the device belongs. This can compromise security for enterprises and organizations,” Check Point added.

Also Read : Five Eye Catching devices from IFA 2016 

Attackers could use this scenario to send malicious commands to the infected device, which could scan the network for valuable information the attacker could steal, or escalate their access. This case is a worst-case scenario, and most likely, DressCode operators use the infected devices to deliver ads and perform click-fraud for their personal financial gain.

Before discovering DressCode, the Check Point team had found Viking Horde, a similar Android malware family that also focuses on delivering ads, by using a proxy to interconnect bots and their C&C server.



Infected apps package names found on Google Play

  • com.dark.kazy.goddess.lp
  • com.whispering.kazy.spirits.pih
  • com.shelter.kazy.ghost.jkv
  • com.dress.up.Musa.Winx.Stella.Tecna.Bloom.Flora
  • com.dress.up.princess.Apple.White.Raven.Queen.Ashlynn.Ella.Ever.After.High
  • com.dress.up.Cerise.Hood.Raven.Queen.Apple.White.Ever.After.Monster.High
  • com.cute.dressup.anime.waitress
  • com.rapunzel.naughty.or.nice
  • guide.slither.skins
  • guide.lenses.snapchat
  • com.minecraft.skins.superhero
  • com.catalogstalkerskinforminecraft_.ncyc
  • com.applike.robotsskinsforminecraft
  • com.temalebedew.modgtavformcpe
  • com.manasoft.skinsforminecraftunique
  • com.romanseverny.militaryskinsforminecraft
  • com.temalebedew.animalskinsforminecraft
  • com.temalebedew.skinsoncartoonsforminecraft
  • com.str.carmodsforminecraft
  • com.hairstyles.stepbystep.yyhb
  • com.str.mapsfnafforminecraft
  • com.weave.braids.steps.txkw
  • mech.mod.mcpe
  • com.applike.animeskinsforminecraftjcxw
  • com.str.furnituremodforminecraft
  • com.vladgamerapp.skins.for_.minecraft.girls
  • com.zaharzorkin.cleomodsforgtasailht
  • com.temalebedew.ponyskins
  • com.gta.mod.minecraft.raccoon
  • com.applike.hotskinsforminecraft
  • com.applike.serversforminecraftpe
  • com.zaharzorkin.pistonsmod

This is not the first Android malware to use popular game apps to propagate. Several fake Pokémon Go Android apps have also popped up after the immense success of the game app, one of which was found to be a lockscreen malware infecting distributing porn ads to infected users. Other detected Android malware variants were found to pose as banking Trojans, one of which called Fanta SDK was found to be draining victims’ bank accounts while posing as a fake bank app.

SOURCE: Check Point

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by

Up ↑