A new HTTPS remote administration tool (RAT) for Android-based mobile devices has been discovered for sale on underground marketplaces, according to Symantec researchers.
The RAT is known as Dendroid, costs $300, and contains an application APK binder package, which allows attackers to lace authentic apps with malicious code and turn them into malware, according to a Wednesday post by Peter Coogan, a Symantec employee.
“The most common usage would be to trojanize a well-known legitimate Android app and then get that placed onto the various Android marketplaces,” an immediately unnamed Symantec security researcher told SCMagazine.com in a Thursday email correspondence. “From there it would need to be downloaded by a victim and granted permission to install. This would then give the attacker remote access to the victim's phone.”
The feature set of Dendroid is robust, the Symantec security researcher said, explaining that, once the victim is infected, an attacker can perform literally any action, including calling phone numbers, recording audio, intercepting texts, opening apps and websites, and even taking and uploading photos.
“This holds the potential for stealing lots of personally identifiable information from the victim and even the victim's contacts,” the Symantec security researcher said. “It can be used for financial gain by sending text messages or using it to dial premium rate numbers.”
Norton Mobile Security can detect the Dendroid threat, but users can prevent infection altogether by not blindly accepting permissions, the Symantec security researcher said, adding that users should also carefully monitor their service bills for any irregular charges.
“Google is doing what it can to mitigate these types of threats,” the Symantec security researcher said. “One of the biggest problems we see is that when improvements are implemented, they don't get rolled out to all users as it is dependent on the individual's service carrier to push out said updates.”
The communications team with Symantec could not immediately identify the responding researcher, but told SCMagazine.com that the comments can be attributed to “a Symantec security researcher.”