'Dendroid' RAT trojanizes apps, enables compromise of Android devices

Share this article:

A new HTTPS remote administration tool (RAT) for Android-based mobile devices has been discovered for sale on underground marketplaces, according to Symantec researchers.

The RAT is known as Dendroid, costs $300, and contains an application APK binder package, which allows attackers to lace authentic apps with malicious code and turn them into malware, according to a Wednesday post by Peter Coogan, a Symantec employee.

“The most common usage would be to trojanize a well-known legitimate Android app and then get that placed onto the various Android marketplaces,” an immediately unnamed Symantec security researcher told SCMagazine.com in a Thursday email correspondence. “From there it would need to be downloaded by a victim and granted permission to install. This would then give the attacker remote access to the victim's phone.”

The feature set of Dendroid is robust, the Symantec security researcher said, explaining that, once the victim is infected, an attacker can perform literally any action, including calling phone numbers, recording audio, intercepting texts, opening apps and websites, and even taking and uploading photos.

“This holds the potential for stealing lots of personally identifiable information from the victim and even the victim's contacts,” the Symantec security researcher said. “It can be used for financial gain by sending text messages or using it to dial premium rate numbers.”

Norton Mobile Security can detect the Dendroid threat, but users can prevent infection altogether by not blindly accepting permissions, the Symantec security researcher said, adding that users should also carefully monitor their service bills for any irregular charges.

“Google is doing what it can to mitigate these types of threats,” the Symantec security researcher said. “One of the biggest problems we see is that when improvements are implemented, they don't get rolled out to all users as it is dependent on the individual's service carrier to push out said updates.”

The communications team with Symantec could not immediately identify the responding researcher, but told SCMagazine.com that the comments can be attributed to “a Symantec security researcher.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.