A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware.
The toolkit is called Dendroid and can be used to create “trojanized” apps—legitimate applications with malicious code added to them—that connect back to a command-and-control server over HTTP and allow attackers to perform a variety of malicious actions on devices that have those apps installed.
Dendroid is marketed by its creators as an Android remote administration tool (RAT) and is being sold for US$300, security researchers from Symantec said Wednesday in a blog post. Buyers receive a tool called an “APK Binder” that can be used to add the Dendroid RAT functionality and its required permissions to any clean APK (Android application package) as well as access to a sophisticated PHP-based control panel that allows detailed management of the infected devices.
Dendroid’s features include deleting call logs and files; calling phone numbers; opening Web pages; recording calls and audio from the microphone; intercepting text messages; taking and uploading photos and videos; opening applications and launching HTTP flood (denial-of-service) attacks for a period of time specified by the attacker.
Malware as a service
Dendroid is not the first Android RAT, but is one of the most sophisticated one seen to date.
“Dendroid is a much improved remote access tool that is definitely aimed for commercial purposes,” said Bogdan Botezatu, a senior e-threat analyst at Bitdefender, Thursday via email. “Although it roughly does the same as Androrat [an older Android RAT], it appears to be much more stable and allows cybercriminal groups to better manage the pool of mobile bots.”
“Another interesting aspect would be the fact that Dendroid is currently delivered as a service: while the buyer gets the bot builder, the control panel is hosted by the team behind Dendroid on offshore virtual private servers, according to their claims,” he said.
According to Botezatu, the commercialization of professionally designed DIY (do-it-yourself) malware toolkits for Android is a significant development and signals a shift in the malware landscape for the platform. Technically speaking, Android malware has pretty much followed in the footsteps of Windows malware, he said.
“On the PC platform, other crimeware toolkits like Zeus (Trojan.Zbot) and SpyEye (Trojan.Spyeye) started off in a similar manner and grew quickly in popularity due to their ease of use and notoriety stemming from the high profile crimes perpetrated as a result of their usage,” the Symantec researchers said.
“Cybercrime is all about making easy money with minimum of effort,” Botezatu said. “Creating a piece of malware that is stable, tested and does not crash the host device requires a lot of work and skill.” Using an affordable DIY builder like Zeus, SpyEye and now Dendroid, is a much more convenient alternative for cybercriminals, he said.
While malware distribution on Android is harder to scale than on Windows, because Google has gotten much better at policing the Google Play store in recent years, there are variety of techniques that attackers can and have used to trick users into installing malicious apps on their devices.
These techniques include distributing malicious apps through third-party app stores that are very popular in certain markets like China or Russia, using Windows malware to inject rogue messages into Web browsing sessions to claim the rogue apps are associated with trusted sites like online banking ones, and even selling phones with trojanized apps pre-installed on them.
A mobile security company called Marble Security recently identified a fake and malicious Netflix app that came pre-installed on multiple Android devices from Samsung Electronics, Motorola Mobility and LG Electronics. The company believes the app might have been installed on the devices somewhere in the supply chain.
Malicious apps are still found from time to time on Google Play, but they’re usually quickly removed. In a marketing video posted by the Dendroid authors online they claim that the new RAT contains techniques to bypass detection by Bouncer, Google Play’s automated malware scanner, and other anti-virus programs. However, it’s not clear how effective those alleged techniques actually are.