Dendroid RAT: the Next Stage of Android Malware Evolution

Dendroid is a HTTP RAT that is marketed as being transparent to the user and firmware interface, with a sophisticated PHP panel and an application APK binder package that shares links to the author of the original AndroRAT APK binder. 

“According to postings on underground forums, the official seller of Dendroid is known as ‘Soccer,’” said Symantec researcher Peter Coogan, in a blog. “The seller markets Dendroid as offering many features that have never been seen before and comes with 24/7 support, all for a once off payment of $300 to be paid through BTC, LTC, BTC-e, or other services.”

Dendroid, true to its name, offers many branches of functionality with which to manhandle unsuspecting Android-based mobile phones, including the ability to make calls and delete call logs, open web pages, record calls and audio, intercept text messages, take and upload photos and videos, open an application, initiate a HTTP flood for a period of time for DoS purposes and change command-and-control (C&C) servers.

In short, it’s a cornucopia of information-stealing and money-scamming goodness for criminals. The presence of the AndroRAT-related binder however makes it that much more dangerous. When used with a binder, the platform easily allows an attacker with limited expertise to automate the process of infecting any legitimate Android application with the RAT, thus trojanizing the app.

“The evolution of remote access tools on the Android platform was inevitable,” said Coogan. “The creation of Dendroid and the positive feedback on underground forums for this type of threat shows that there is a strong cybercriminal marketplace for such tools.”

He noted that on the PC platform, other crimeware toolkits like Zeus and SpyEye started off in a similar manner and grew quickly in popularity due to their ease of use and notoriety stemming from the high profile crimes perpetrated as a result of their usage.

“Darwinism is partly based on the ability for change that increases an individual’s ability to compete and survive,” Coogan said. “Malware authors are not much different and need to adapt to survive in changing technological landscapes and marketplaces.”

What’s hot on Infosecurity Magazine?