In 2016, researchers uncovered a botnet that turned infected Android phones into covert listening posts that could siphon sensitive data out of protected networks. Google at the time said it removed the 400 Google Play apps that installed the malicious botnet code and took other, unspecified “necessary actions” to protect infected users.
Now, roughly 16 months later, a hacker has provided evidence that the so-called DressCode botnet continues to flourish and may currently enslave as many as four million devices. The infections pose a significant risk because they cause phones to use the SOCKS protocol to open a direct connection to attacker servers. Attackers can then tunnel into home or corporate networks to which the phones belong in an attempt to steal router passwords and probe connected computers for vulnerabilities or unsecured data.
Even worse, a programming interface that the attacker’s command and control server uses to establish the connection is unencrypted and requires no authentication, a weakness that allows other attackers to independently abuse the infected phones.