Dendroid spying RAT malware found on Google Play
A new Android malware toolkit called Dendroid is being offered for sale by its creators, and at least one of the malicious APKs created with it has managed to fool Google Play’s Bouncer.
According to Lookout researchers, Dendroid is a moderately sophisticated toolkit, and “comes with a business model that is highly reminiscent of Russian custom malware toolkits.” But, judging by the advertisements found, its developers are looking to sell it to criminals in the West.
The Dendroid toolkit is perfectly equipped for creating malicious apps with remote administration and spying capabilities, but also offers “offers a full command and control infrastructure with a control panel every bit as feature rich as some of the more sophisticated Russian botnets.”
The malicious APKs can purportedly intercept, block, and send out SMSes; record ongoing phone calls; take pictures, record video and audio by using the device’s camera and microphone; download pictures the device owner has already made, as well as his or her browser history and bookmarks; and extract saved login credentials and passwords for a variety of accounts.
“Dendroid also comes bundled with a universal ‘binder application.’ This is a point-and-click tool that a customer can use to inject (or bind) Dendroid into any innocent target application that they choose with minimal effort,” the researchers added.
“This means that all a wannabee malware author needs in order to start pumping out infected applications is to choose a carrier app, download it and then let Dendroid’s toolkit take care of the rest.”
Sold for $300 (in crypto currencies), the toolkit comes with a warranty that the malware created with it will remain undetected.
The researchers have discovered one app created with Dendroid that managed to get included and offered on Google Play by leveraging anti-emulation detection code that fools Google Play’s Bouncer, the automated app scanning service that analyzes apps by running them on Google’s cloud infrastructure and simulating how they will run on an Android device. The app has since been removed from the market.
Bouncer might have not spotted it, but antivirus companies are now wise to its tricks, and have already started detecting it. The ball is now in Dendroid creators’ court and they will have to make some changes to avoid detection again – if they can.
“Thanks to the quick identification and detection of Dendroid by security companies we don’t anticipate Dendroid becoming a major threat,” the researchers noted. “However, it does represent a step change upwards in the complexity of all-in-one malware toolkits for Android.”
“Toolkits of this sophistication changed the PC landscape significantly as it lowered the barrier for entry and enabled relatively unskilled malware operators to control substantial botnets with a level of control they would never have been able to reach on their own,” they pointed out.