Saboteurs slip Dendroid RAT into Google Play

Share this article:
Android WebView exploit published, most devices vulnerable to old bug
Google quickly removed the malware, which was disguised as a legitimate parental control app.

A new remote access tool (RAT) that trojanizes Android apps made its way into Google's official app store.

Last Wednesday, Symantec first warned users about the $300 RAT called Dendroid that contained an application APK binder package for compromising apps.  

By Thursday, different researchers at mobile security firm Lookout revealed that a limited number of Android users had already been tricked into downloading the malware.

Marc Rogers, principal security researcher at San Francisco-based Lookout, wrote in the Thursday post that Dendroid had been slipped into Google Play, though the spurious app was speedily removed. According to an Ars Technica report, the malware was masquerading as a legitimate app called Parental Control, and had been downloaded 10 to 50 times before Google took it down.

Of note, Dendroid is capable of taking over a phone's camera, downloading existing photos, recording calls, audio and video, and sending texts from victims' devices.

While Lookout researchers don't believe Dendroid will become a significant threat due to security firms being on alert for the malware, the toolkit does endorse a business model “reminiscent of Russian custom malware toolkits,” Lookout's Rogers noted.

Dendroid's author accepts payment for the malware in Bitcoin and offers a warranty that the RAT will skirt detection once dispatched, he added.

“Dendroid also comes bundled with a universal ‘binder application,'” Rogers wrote. “This is a point-and-click tool that a customer can use to inject (or bind) Dendroid into any innocent target application that they choose with minimal effort. This means that all a wannabe malware author needs in order to start pumping out infected applications is to choose a carrier app, download it and then let Dendroid's toolkit take care of the rest,” he warned.

On Monday, Jeremy Linden, senior security product manager at Lookout, told SCMagazine.com via email that the company “has not detected any further apps using the Dendroid toolkit” since last week, but that the malware could resurface.

“Because it was sold as a set of automated tools for malware writers to use to plug malicious functions into apps, it's very possible that we could see it again,” Linden said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.