Today we talk about Dendroid, an remote access tool (RAT) first discovered by researchers from Symantec. (http://www.symantec.com/connect/blogs/android-rats-branch-out-dendroid).
As an Android trojan, Dendroid raised the bar on malware commercialization: $300 for lifetime update; 7/24 customer support; Bitcoin and Litecoin payment accepted – buyers have no worry on personal identity disclosure; “app-repacking” service supported – you can customize your trojan, bind it on a normal app for disguising. This trojan even sneak past Google’s automatic malware scanner within the Google Play Store, and later been removed by Google.
If you unfortunately downloaded and opened it, your phone would become a part of hacker’s botnet. Dendroid will continuously listening the commands sent from C&C (command and control) server, and execute any command that hacker given. Dendroid supports a large set of commands, includes spying on the camera, recording phone conversations and SMS, or even launching a DDoS attack as part of the bonnet:
- mediavolumeup
- mediavolumedown
- ringervolumeup
- ringervolumedown
- screenon
- recordcalls
- intercept
- blocksms
- recordaudio
- takevideo
- takephoto
- settimeout
- sendtext
- sendcontacts
- callnumber
- deletecalllognumber
- openwebpage
- updateapp
- promptupdate
- promptuninstall
- uploadfiles
- changedirectory
- deletefiles
- getbrowserhistory
- getbrowserbookmarks
- getcallhistory
- getcontacts
- getinboxsms
- getsentsms
- deletesms
- getuseraccounts
- getinstalledapps
- httpflood
- openapp
- opendialog
- uploadpictures
- setbackupurl
- transferbot
Dendroid’s poorly written code on receiving commands:
For self protection, Dendroid will loop checking whether its service is alive. Also, it could detect whether it’s in a sand-box (if so, it will self-terminate), to delay the time it being analyzed, making it survive longer on some App market with simple sand-box based detection. And don’t worry, Trustlook don’t use emulator to build sand-box, we use real phones. Trustlook Antivirus can now detect Dendroid perfectly.
Dendroid might not be the best on remote controlling capability, but it’s so far the most popular and commercialized one, indicating the underground Android malware market is growing. Driven by huge number of potential targets and profit, this kind of malwares will more frequently appear in near future we believe. Trustlook will keep an eye on those new threats, and sharing our latest update with you.