A new remote access tool (RAT) that trojanizes Android apps made its way into Google's official app store.
Last Wednesday, Symantec first warned users about the $300 RAT called Dendroid that contained an application APK binder package for compromising apps.By Thursday, different researchers at mobile security firm Lookout revealed that a limited number of Android users had already been tricked into downloading the malware.
Marc Rogers, principal security researcher at San Francisco-based Lookout, wrote in the Thursday post that Dendroid had been slipped into Google Play, though the spurious app was speedily removed. According to an Ars Technica report, the malware was masquerading as a legitimate app called Parental Control, and had been downloaded 10 to 50 times before Google took it down.
Of note, Dendroid is capable of taking over a phone's camera, downloading existing photos, recording calls, audio and video, and sending texts from victims' devices.
While Lookout researchers don't believe Dendroid will become a significant threat due to security firms being on alert for the malware, the toolkit does endorse a business model “reminiscent of Russian custom malware toolkits,” Lookout's Rogers noted.
Dendroid's author accepts payment for the malware in Bitcoin and offers a warranty that the RAT will skirt detection once dispatched, he added.
“Dendroid also comes bundled with a universal ‘binder application,'” Rogers wrote. “This is a point-and-click tool that a customer can use to inject (or bind) Dendroid into any innocent target application that they choose with minimal effort. This means that all a wannabe malware author needs in order to start pumping out infected applications is to choose a carrier app, download it and then let Dendroid's toolkit take care of the rest,” he warned.
On Monday, Jeremy Linden, senior security product manager at Lookout, told SCMagazine.com via email that the company “has not detected any further apps using the Dendroid toolkit” since last week, but that the malware could resurface.
“Because it was sold as a set of automated tools for malware writers to use to plug malicious functions into apps, it's very possible that we could see it again,” Linden said.