New Android "RAT" infects Google Play apps, turning phones into spyware zombies
An easy to use new "Remote Administration Tool" malware package for Android offers to infect users, steal their photos and text messages, secretly capture audio or video, record their calls, download their web browser history and steal their email, Facebook and VPN account information.
The practice of selling such a malware package targeting Android is so common it has a pet name among security researchers: an "Android RAT," for Remote Administration Tool.
However, the latest RAT is raising eyebrows in the security community because of its low cost (just $300 for unlimited use, paid for via untraceable currencies such as Bitcoin) and its ability to sneak past Google's automated malware scanner in the Google Play app market, where legitimate appearing, RAT-infected apps can hide out undetected.
RAT infected Android devices can be remotely zombified by the perpetrator, allowing virtually unlimited access to photos, data and messages on the device. The Dendroid RAT provides full access to infected devices' camera and microphone, and can place calls or listen in on a user's phone conversations or text messages.
Distributing Dendroid is easy because, as a report by security firm Lookout stated, "it looks as if Dendroid was designed with evading Play Store security in mind."
The firm noted that, "Amongst its numerous features, Dendroid features some relatively simple -- yet unusual -- anti-emulation detection code that helps it evade detection by Bouncer, Google's anti-malware screening system for the play store."
Google's Bouncer scans for malware by emulating submitted apps to review their functionality for telltale, illegal behaviors. Dendroid-infected Android apps are designed to be smart enough to avoid executing their malware code while being run in emulation by Google's Bouncer scanning process.
A report by Lucian Constantin for IT World cited Bogdan Botezatu, a senior e-threat analyst at Bitdefender as saying that "Dendroid is a much improved remote access tool that is definitely aimed for commercial purposes," adding that "Although it roughly does the same as Androrat [an older Android RAT], it appears to be much more stable and allows cybercriminal groups to better manage the pool of mobile bots."
Constantin noted that "Android malware has pretty much followed in the footsteps of Windows malware," again citing Botezatu as stating that "Cybercrime is all about making easy money with minimum of effort. Creating a piece of malware that is stable, tested and does not crash the host device requires a lot of work and skill."
Over the past ten years however, a significant portion of Windows users have simply switched from the wide open, malware saturated Windows platform to Apple's Macs and iOS devices. Macs never became a significant malware target, an advantage Apple advertised and worked to preserve.
When it introduced iOS in 2007, Apple incorporated a new security model that attempted to destroy the low hanging fruit supporting the malware market on previous mobile devices.
Apple stated that it "designed the iOS platform with security at its core," detailing that, "when we set out to create the best possible mobile OS, we drew from decades of experience to build an entirely new architecture. We thought about the security hazards of the desktop environment, and established a new approach to security in the design of iOS. We developed and incorporated innovative features that tighten mobile security and protect the entire system by default. As a result, iOS is a major leap forward in OS security."
Apple has since brought many of these protections to its desktop Mac platform, from signed apps to a secure app market and regular free software updates that target and solve vulnerabilities faster than malware authors can build a business around them.
In stark contrast, Google simply recreated Microsoft's malware-harboring platform among mobile devices via Android, allowing third party developers to release "open" apps that can obtain inappropriate access to user content and data.
Google maintains no accountability for the devices that ship with Android, and most devices ship with outdated versions with known security vulnerabilities. Most of these will never receive security updates.
The practice of selling such a malware package targeting Android is so common it has a pet name among security researchers: an "Android RAT," for Remote Administration Tool.
However, the latest RAT is raising eyebrows in the security community because of its low cost (just $300 for unlimited use, paid for via untraceable currencies such as Bitcoin) and its ability to sneak past Google's automated malware scanner in the Google Play app market, where legitimate appearing, RAT-infected apps can hide out undetected.
Dendroid infects Google Play, gnaws at user data
Known as Dendroid, the new Android RAT package is being sold as an "APK Binder," which can take any original or stolen Android app and incorporate its own malware as a Trojan payload. After distributing the infected app, Dendroid's RAT customers can monitor the spread of their infection via web based tools.RAT infected Android devices can be remotely zombified by the perpetrator, allowing virtually unlimited access to photos, data and messages on the device. The Dendroid RAT provides full access to infected devices' camera and microphone, and can place calls or listen in on a user's phone conversations or text messages.
Distributing Dendroid is easy because, as a report by security firm Lookout stated, "it looks as if Dendroid was designed with evading Play Store security in mind."
The firm noted that, "Amongst its numerous features, Dendroid features some relatively simple -- yet unusual -- anti-emulation detection code that helps it evade detection by Bouncer, Google's anti-malware screening system for the play store."
Google's Bouncer scans for malware by emulating submitted apps to review their functionality for telltale, illegal behaviors. Dendroid-infected Android apps are designed to be smart enough to avoid executing their malware code while being run in emulation by Google's Bouncer scanning process.
Malware is Android's primary exclusive app
Most malware is incentivized by commercial activity, often by presenting ads or spreading spyware that can harvest valuable marketing data. In addition to these, Dendroid also offers to earn its keep as a tool for generating massive Denial of Service attacks across the population of its infected devices.A report by Lucian Constantin for IT World cited Bogdan Botezatu, a senior e-threat analyst at Bitdefender as saying that "Dendroid is a much improved remote access tool that is definitely aimed for commercial purposes," adding that "Although it roughly does the same as Androrat [an older Android RAT], it appears to be much more stable and allows cybercriminal groups to better manage the pool of mobile bots."
Android malware has pretty much followed in the footsteps of Windows malware
Constantin noted that "Android malware has pretty much followed in the footsteps of Windows malware," again citing Botezatu as stating that "Cybercrime is all about making easy money with minimum of effort. Creating a piece of malware that is stable, tested and does not crash the host device requires a lot of work and skill."
How to avoid Dendroid
Android users can adopt the same protections that Windows PC users did during the malware crisis that plagued Microsoft's platform ten years ago. That includes not installing apps from untrusted sources and installing third party malware scanner tools.Over the past ten years however, a significant portion of Windows users have simply switched from the wide open, malware saturated Windows platform to Apple's Macs and iOS devices. Macs never became a significant malware target, an advantage Apple advertised and worked to preserve.
When it introduced iOS in 2007, Apple incorporated a new security model that attempted to destroy the low hanging fruit supporting the malware market on previous mobile devices.
Apple stated that it "designed the iOS platform with security at its core," detailing that, "when we set out to create the best possible mobile OS, we drew from decades of experience to build an entirely new architecture. We thought about the security hazards of the desktop environment, and established a new approach to security in the design of iOS. We developed and incorporated innovative features that tighten mobile security and protect the entire system by default. As a result, iOS is a major leap forward in OS security."
Apple has since brought many of these protections to its desktop Mac platform, from signed apps to a secure app market and regular free software updates that target and solve vulnerabilities faster than malware authors can build a business around them.
In stark contrast, Google simply recreated Microsoft's malware-harboring platform among mobile devices via Android, allowing third party developers to release "open" apps that can obtain inappropriate access to user content and data.
Google maintains no accountability for the devices that ship with Android, and most devices ship with outdated versions with known security vulnerabilities. Most of these will never receive security updates.
Comments
Any stats on infection rates and geographic locations of those most at risk? No? I wonder why that could be.
The denial of service capabilities available to the RATs can affect anyone regardless of which platform they use. With the possibilities of millions or even billions of infected Android devices, no one is immune from their DDOS attacks.
http://arstechnica.com/security/2014/03/malware-designed-to-take-over-cameras-and-record-audio-enters-google-play/
The article was actually pretty informative, at least until it strayed into misinformation at the very end. Every Google Android device with 2.3 and above (that's pretty much all of them) have received security updates even if the OS itself is still an older version. Security and feature updates can come directly from Google via Play Services and have.
There's attacks coming at us from all directions anymore.
Right because there are so many directions that Android apps can take to deliver malware. It is nice that Google Play caught one app but what about all the other ways to download apps for Android? In the old days they would post a link to see Britney nude, now just substitue Taylor Swift or whomever and download away.
Every Google Android device with 2.3 and above (that's pretty much all of them) have received security updates even if the OS itself is still an older version..
Spin doctoring. What do security updates for older phones have to do with this type of app that bypasses every security protocol in place for even newer phones?
There's attacks coming at us from all directions anymore.
Right because there are so many directions that Android apps can take to deliver malware. It is nice that Google Play caught one app but what about all the other ways to download apps for Android? In the old days they would post a link to see Britney nude, now just substitue Taylor Swift or whomever and download away.
comes with the territory of having the highest market share unfortunately. When there is a will, there is a way.
Not sure that sticking your head in the ground and being skeptical of validity of this story is a productive move. Therefore, I am glad Google has acknowledged there is a challenge because they are the #1 target, and hopefully for the sake of their users they will step up the effort, even if it means being less "open".
Just hope its not too late to get the horse back into the barn.
Toothpaste cannot be put back in the tube. Google unleashed Android on the world and they can't recall it.
Sure, they have gotten some security updates with the lateral move Google implemented, which is good, but does that mean that all the holes that are in version 2.3 are now closed as if they were running 4.4? And why have the different versions if the actual OS version doesn't mean anything? And what about the different API versions? 2.3 "Gingerbread is API Level 10 while 4.4 "Kit Kat" is API Level 19. Those have to mean something otherwise why have them at all?
This sounds like a job for Mythbusters.
[quote name="AppleInsider" url="/t/162893/new-android-rat-infects-google-play-apps-turning-phones-into-spyware-zombies#post_2483375
Google maintains no accountability for the devices that ship with Android... Most of these will never receive security updates.[/quote]
The article was actually pretty informative, at least until it strayed into misinformation at the very end. Every Google Android device with 2.3 and above (that's pretty much all of them) have received security updates even if the OS itself is still an older version. Security and feature updates can come directly from Google via Play Services and have.
Android 2.3 has known vulnerabilities that Google is never going to patch. That, and every security and networking company of record on the subject has echoed what Juniper says (a pic even included in the story for you): majority of Android users are unpatched.
It’s not in Google’s interest, nor that of the carrier or hardware maker, to create and distribute updates. All they want to do is ship volumes as broadly as possible, just like the PC makers who presided over the Windows Malware Era.
Google turned back the clock after iOS and promised a new world of exciting openness. It was wrong. Android’s "Open" has been a total failure across the platform.
How could these denial of service attacks be fended off?
Obviously you cover the stuff you can but no consumer OS can catch everything. RAT malware evades Mac defenses too IIRC. Wan't there some email infection going around disguised as FedX or DHL notices a couple months back? I received a couple of those myself but was smart enough to delete them. You can be sure that some folks didn't.
Still doesn't make the last paragraph of the article true in any event. It isn't. Google has rolled out security updates to essentially ALL Google Android devices whether the manufacturer made an OS update available or not.
Any stats on infection rates and geographic locations of those most at risk? No? I wonder why that could be.
In whose interest would that be? That’s as dumb as saying President Reagan ignored AIDS for years so it probably wasn’t a real problem.
You know Mythbusters actually used one of our products in their show. They called us up to ask permission. The show wasn't about our product, just that they used it to debunk something else.
Push or hunt and seek?
Get ready for some Android Apologist knee-jerk reactions:
1. But most Android users don't even know about Google Play, so they're safe. Oh wait...
2. But it only affects the latest 4.4 KitKat release, and almost nobody has that yet. Oh wait...
3. So yeah, the RAT affects other releases. It proves that fragmentation isn't really all *that* bad. Oh wait...
4. But most Android devices are Chinese no-name knockoffs that don't connect to Google Play anyway. Oh wait...
6. But 99% of all mobile malware is on Android already, so what's one more little bad app? Oh wait...
7. etc.