Menu
New crimeware tool Dendroid makes it easier to create Android malware, researchers warn

New crimeware tool Dendroid makes it easier to create Android malware, researchers warn

The tool can be used to add malicious functionality to legitimate applications, researchers from Symantec said

A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware.

The toolkit is called Dendroid and can be used to create "trojanized" apps -- legitimate applications with malicious code added to them -- that connect back to a command-and-control server over HTTP and allow attackers to perform a variety of malicious actions on devices that have those apps installed.

Dendroid is marketed by its creators as an Android remote administration tool (RAT) and is being sold for US$300, security researchers from Symantec said Wednesday in a blog post. Buyers receive a tool called an "APK Binder" that can be used to add the Dendroid RAT functionality and its required permissions to any clean APK (Android application package) as well as access to a sophisticated PHP-based control panel that allows detailed management of the infected devices.

Dendroid's features include deleting call logs and files; calling phone numbers; opening Web pages; recording calls and audio from the microphone; intercepting text messages; taking and uploading photos and videos; opening applications and launching HTTP flood (denial-of-service) attacks for a period of time specified by the attacker.

Dendroid is not the first Android RAT, but is one of the most sophisticated one seen to date.

"Dendroid is a much improved remote access tool that is definitely aimed for commercial purposes," said Bogdan Botezatu, a senior e-threat analyst at Bitdefender, Thursday via email. "Although it roughly does the same as Androrat [an older Android RAT], it appears to be much more stable and allows cybercriminal groups to better manage the pool of mobile bots."

"Another interesting aspect would be the fact that Dendroid is currently delivered as a service: while the buyer gets the bot builder, the control panel is hosted by the team behind Dendroid on offshore virtual private servers, according to their claims," he said.

According to Botezatu, the commercialization of professionally designed DIY (do-it-yourself) malware toolkits for Android is a significant development and signals a shift in the malware landscape for the platform. Technically speaking, Android malware has pretty much followed in the footsteps of Windows malware, he said.

"On the PC platform, other crimeware toolkits like Zeus (Trojan.Zbot) and SpyEye (Trojan.Spyeye) started off in a similar manner and grew quickly in popularity due to their ease of use and notoriety stemming from the high profile crimes perpetrated as a result of their usage," the Symantec researchers said.

"Cybercrime is all about making easy money with minimum of effort," Botezatu said. "Creating a piece of malware that is stable, tested and does not crash the host device requires a lot of work and skill." Using an affordable DIY builder like Zeus, SpyEye and now Dendroid, is a much more convenient alternative for cybercriminals, he said.

While malware distribution on Android is harder to scale than on Windows, because Google has gotten much better at policing the Google Play store in recent years, there are variety of techniques that attackers can and have used to trick users into installing malicious apps on their devices.

These techniques include distributing malicious apps through third-party app stores that are very popular in certain markets like China or Russia, using Windows malware to inject rogue messages into Web browsing sessions to claim the rogue apps are associated with trusted sites like online banking ones, and even selling phones with trojanized apps pre-installed on them.

A mobile security company called Marble Security recently identified a fake and malicious Netflix app that came pre-installed on multiple Android devices from Samsung Electronics, Motorola Mobility and LG Electronics. The company believes the app might have been installed on the devices somewhere in the supply chain.

Malicious apps are still found from time to time on Google Play, but they're usually quickly removed. In a marketing video posted by the Dendroid authors online they claim that the new RAT contains techniques to bypass detection by Bouncer, Google Play's automated malware scanner, and other anti-virus programs. However, it's not clear how effective those alleged techniques actually are.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags symantecGooglesecuritymobile securityspywaremalwareprivacybitdefenderMarble Security

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments