Saboteurs slip Dendroid RAT into Google Play

Share this article:
Android WebView exploit published, most devices vulnerable to old bug
Google quickly removed the malware, which was disguised as a legitimate parental control app.

A new remote access tool (RAT) that trojanizes Android apps made its way into Google's official app store.

Last Wednesday, Symantec first warned users about the $300 RAT called Dendroid that contained an application APK binder package for compromising apps.  

By Thursday, different researchers at mobile security firm Lookout revealed that a limited number of Android users had already been tricked into downloading the malware.

Marc Rogers, principal security researcher at San Francisco-based Lookout, wrote in the Thursday post that Dendroid had been slipped into Google Play, though the spurious app was speedily removed. According to an Ars Technica report, the malware was masquerading as a legitimate app called Parental Control, and had been downloaded 10 to 50 times before Google took it down.

Of note, Dendroid is capable of taking over a phone's camera, downloading existing photos, recording calls, audio and video, and sending texts from victims' devices.

While Lookout researchers don't believe Dendroid will become a significant threat due to security firms being on alert for the malware, the toolkit does endorse a business model “reminiscent of Russian custom malware toolkits,” Lookout's Rogers noted.

Dendroid's author accepts payment for the malware in Bitcoin and offers a warranty that the RAT will skirt detection once dispatched, he added.

“Dendroid also comes bundled with a universal ‘binder application,'” Rogers wrote. “This is a point-and-click tool that a customer can use to inject (or bind) Dendroid into any innocent target application that they choose with minimal effort. This means that all a wannabe malware author needs in order to start pumping out infected applications is to choose a carrier app, download it and then let Dendroid's toolkit take care of the rest,” he warned.

On Monday, Jeremy Linden, senior security product manager at Lookout, told SCMagazine.com via email that the company “has not detected any further apps using the Dendroid toolkit” since last week, but that the malware could resurface.

“Because it was sold as a set of automated tools for malware writers to use to plug malicious functions into apps, it's very possible that we could see it again,” Linden said.

Share this article:

Sign up to our newsletters

More in News

Incapsula mitigates multi-vector DDoS attack lasting longer than a month

Incapsula mitigates multi-vector DDoS attack lasting longer than ...

Incapsula's scrubbing servers were able to filter out more than 50 petabits of malicious DDoS traffic aimed at a video game company for longer than a month.

UPS announces breach impacting 51 U.S. locations

The shipping and printing provider said malware has been present on some stores' computer systems since mid-January.

'Machete' espionage campaign targets orgs in Venezuela, Ecuador

The campaign targets Spanish speaking victims, which also appears to be the native language of attackers.