Remote access trojans that let criminals spy on you are a nasty issue, but when you find one in the Google Play store, it sounds off some alarms. This week, researchers found Dendroid, a custom “Remote Access Toolkit” (RAT) for Android targeting customers from Western countries, and yes, it breached Google Play. A RAT is a type of malware that is used to remotely control the devices it is installed on. The toolkit is being sold for $300 to anyone who wants to automate the malware distribution process. The creator promises that the malware can take pictures using the phone's camera, record audio and video, download existing pictures, record calls, send texts, and more. All Lookout users are protected from this threat.
On top of all of these features, the toolkit comes with a business model that is highly reminiscent of Russian custom malware toolkits. The author is selling the toolkit online, demanding payment in currencies like Bitcoin, and provides a warranty promise that the malware will remain undetected. Want to evade detection and get into Google Play? This toolkit will help you do just that. While this type of complete toolkit based approach is common in the Russian underground, especially with banking trojans, this type of model is unusual to find in the U.S. What’s more, it looks as if Dendroid was designed with evading Play Store security in mind. Amongst its numerous features, Dendroid features some relatively simple -- yet unusual -- anti-emulation detection code that helps it evade detection by Bouncer, Google’s anti-malware screening system for the play store. Malware-detecting programs like Bouncer, use "emulation" in order to log and understand the behaviors of software so that it can look for risky behavior to remember and block that behavior in the future. However, by using "anti-emulation" code, malware writers can attempt to hide by not executing any bad code, which might alert the detection system. As Dendroid is a new threat, detections are very low right now. We only detected a single application infected with Dendroid and it has already been removed from the Play Store, however, the developer’s account is still open. This toolkit is different from the majority of custom Android malware solutions in other ways as well. Most of these solutions typically just offer a few pieces of code for the wannabee malware author to insert into an innocent target application. More sophisticated features, such as command and control of infected devices, is then left up to the operator to implement. Dendroid, on the other hand, offers a full command and control infrastructure with a control panel every bit as feature rich as some of the more sophisticated Russian botnets. Available for $300 in cryptocurrencies such as Bitcoin or Litecoin (and PayPal if the seller trusts you), Dendroid offers its customers a list of advanced spyware features and complete command and control backed up by its promise of a lifetime warranty. http://vimeo.com/77793875
Some of Dendroid’s promised features:
- Ability to intercept and block SMS received by the target device
- Download Pictures from the target device
- Spy on the user by taking pictures or making audio and video recordings
- Download the user’s web browser history and any saved bookmarks
- Download any other accounts (email, social media, VPN) stored on the device
- Send texts as the device owner
- Record any ongoing calls
- Open a dialogue box to ask for passwords or send messages to the victim
Dendroid also comes bundled with a universal “binder application.” This is a point-and-click tool that a customer can use to inject (or bind) Dendroid into any innocent target application that they choose with minimal effort. This means that all a wannabee malware author needs in order to start pumping out infected applications is to choose a carrier app, download it and then let Dendroid’s toolkit take care of the rest. While overall Dendroid is not a sophisticated application, and there are signs that it may be a collaboration where several different malware projects have converged, it does represent a step change in both sophistication and operation. Thanks to the quick identification and detection of Dendroid by security companies we don’t anticipate Dendroid becoming a major threat. However, it does represent a step change upwards in the complexity of all-in-one malware toolkits for Android. Toolkits of this sophistication changed the PC landscape significantly as it lowered the barrier for entry and enabled relatively unskilled malware operators to control substantial botnets with a level of control they would never have been able to reach on their own.
How To Stay Safe
- Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs
- Download a mobile security app like Lookout’s app that protects against malware as a first line of defense