Dendroid: Android Trojan Being Commercialized

Today we talk about Dendroid, an remote access tool (RAT) first discovered by researchers from Symantec. (http://www.symantec.com/connect/blogs/android-rats-branch-out-dendroid).

Screen Shot 2014-03-20 at 1.10.07 AM

Screen Shot 2014-03-20 at 1.21.05 AM

As an Android trojan, Dendroid raised the bar on malware commercialization: $300 for lifetime update; 7/24 customer support; Bitcoin and Litecoin payment accepted – buyers have no worry on personal identity disclosure; “app-repacking” service supported – you can customize your trojan, bind it on a normal app for disguising. This trojan even sneak past Google’s automatic malware scanner within the Google Play Store, and later been removed by Google.

f9faab60a3f1680dcd0b2f98ae1215cb

If you unfortunately downloaded and opened it, your phone would become a part of hacker’s botnet. Dendroid will continuously listening the commands sent from C&C (command and control) server, and execute any command that hacker given. Dendroid supports a large set of commands, includes spying on the camera, recording phone conversations and SMS, or even launching a DDoS attack as part of the bonnet:

  • mediavolumeup
  • mediavolumedown
  • ringervolumeup
  • ringervolumedown
  • screenon
  • recordcalls
  • intercept
  • blocksms
  • recordaudio
  • takevideo
  • takephoto
  • settimeout
  • sendtext
  • sendcontacts
  • callnumber
  • deletecalllognumber
  • openwebpage
  • updateapp
  • promptupdate
  • promptuninstall
  • uploadfiles
  • changedirectory
  • deletefiles
  • getbrowserhistory
  • getbrowserbookmarks
  • getcallhistory
  • getcontacts
  • getinboxsms
  • getsentsms
  • deletesms
  • getuseraccounts
  • getinstalledapps
  • httpflood
  • openapp
  • opendialog
  • uploadpictures
  • setbackupurl
  • transferbot

Dendroid’s poorly written code on receiving commands:
Screen Shot 2014-03-20 at 1.01.14 AM

Camera recording:
Screen Shot 2014-03-20 at 1.01.49 AM

For self protection, Dendroid will loop checking whether its service is alive. Also, it could detect whether it’s in a sand-box (if so, it will self-terminate), to delay the time it being analyzed, making it survive longer on some App market with simple sand-box based detection. And don’t worry, Trustlook don’t use emulator to build sand-box, we use real phones. Trustlook Antivirus can now detect Dendroid perfectly.

Screen Shot 2014-03-20 at 2.03.21 AM

Dendroid might not be the best on remote controlling capability, but it’s so far the most popular and commercialized one, indicating the underground Android malware market is growing. Driven by huge number of potential targets and profit, this kind of malwares will more frequently appear in near future we believe. Trustlook will keep an eye on those new threats, and sharing our latest update with you.

Screenshot_2014-03-19-18-55-05

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s