For about $40, "binder" tool weaponizes Android apps for you
Android app lies to users that their device is infected by viruses, asks for money
A tool that "trojanizes" legitimate Android apps may be a dream come true for criminals with ill intent but little skill or patience to craft their own malicious code.
According to researchers at Symantec, for just $37, saboteurs can buy the AndroRAT APK Binder, currently being sold on underground forums. Andrea Lelli, a Symantec researcher, wrote in a Tuesday blog post that binders are the “first tools that easily allow users to repackage and trojanize legitimate Android applications with AndroRAT,” a remote access trojan (RAT) for Android devices that was made freely available online last November by online crooks.
With the binder tool in tow, saboteurs can readily turn popular games or other applications, like calendars or newsfeeds, into weaponized apps that infect devices with AndroRAT – which can make calls and send text messages, operate the microphone and camera, and access victims' GPS coordinates and other data stored on the device.
In a Wednesday interview, Vikram Thakur, principal security response manager at Symantec, told SCMagazine.com that the Android binder has an easily accessible control panel.
“The binder will ask you for a clean application, and ask where you want to set up your command-and-control server,” Thakur said. “Someone who doesn't need to know anything about code can do this for about 40 bucks. Eventually, you are going to have to distribute that trojanized application yourself, but it will give you the code. It just spits out the package for the application."
So far, fewer than 1,000 devices worldwide have been infected with AndroidRAT, also known as Dandro, with the majority of cases in the United States and Turkey.
Symantec researchers have tracked a rise in infection numbers recently, however, and expect incidents to increase as fraudsters continue to develop tools, like binders, to spread Android remote access trojans.
About 23 popular apps have been infected with AndroRAT, Symantec found, though none have been detected in the official Google Play store.
Thakur added that one red flag among the apps infected with AndroRAT is that they are usually available for free in third-party stores, while the clean versions of the apps required payment.