New Android "RAT" infects Google Play apps, turning phones into spyware zombies

Posted:
in iPhone edited March 2014
An easy to use new "Remote Administration Tool" malware package for Android offers to infect users, steal their photos and text messages, secretly capture audio or video, record their calls, download their web browser history and steal their email, Facebook and VPN account information.

Android RAT Dendroid


The practice of selling such a malware package targeting Android is so common it has a pet name among security researchers: an "Android RAT," for Remote Administration Tool.

However, the latest RAT is raising eyebrows in the security community because of its low cost (just $300 for unlimited use, paid for via untraceable currencies such as Bitcoin) and its ability to sneak past Google's automated malware scanner in the Google Play app market, where legitimate appearing, RAT-infected apps can hide out undetected.

Dendroid infects Google Play, gnaws at user data

Known as Dendroid, the new Android RAT package is being sold as an "APK Binder," which can take any original or stolen Android app and incorporate its own malware as a Trojan payload. After distributing the infected app, Dendroid's RAT customers can monitor the spread of their infection via web based tools.

RAT infected Android devices can be remotely zombified by the perpetrator, allowing virtually unlimited access to photos, data and messages on the device. The Dendroid RAT provides full access to infected devices' camera and microphone, and can place calls or listen in on a user's phone conversations or text messages.

Android spy tool Dendroid


Distributing Dendroid is easy because, as a report by security firm Lookout stated, "it looks as if Dendroid was designed with evading Play Store security in mind."

The firm noted that, "Amongst its numerous features, Dendroid features some relatively simple -- yet unusual -- anti-emulation detection code that helps it evade detection by Bouncer, Google's anti-malware screening system for the play store."

Google's Bouncer scans for malware by emulating submitted apps to review their functionality for telltale, illegal behaviors. Dendroid-infected Android apps are designed to be smart enough to avoid executing their malware code while being run in emulation by Google's Bouncer scanning process.

Malware is Android's primary exclusive app

Most malware is incentivized by commercial activity, often by presenting ads or spreading spyware that can harvest valuable marketing data. In addition to these, Dendroid also offers to earn its keep as a tool for generating massive Denial of Service attacks across the population of its infected devices.

A report by Lucian Constantin for IT World cited Bogdan Botezatu, a senior e-threat analyst at Bitdefender as saying that "Dendroid is a much improved remote access tool that is definitely aimed for commercial purposes," adding that "Although it roughly does the same as Androrat [an older Android RAT], it appears to be much more stable and allows cybercriminal groups to better manage the pool of mobile bots." Android malware has pretty much followed in the footsteps of Windows malware

Constantin noted that "Android malware has pretty much followed in the footsteps of Windows malware," again citing Botezatu as stating that "Cybercrime is all about making easy money with minimum of effort. Creating a piece of malware that is stable, tested and does not crash the host device requires a lot of work and skill."

How to avoid Dendroid

Android users can adopt the same protections that Windows PC users did during the malware crisis that plagued Microsoft's platform ten years ago. That includes not installing apps from untrusted sources and installing third party malware scanner tools.

Over the past ten years however, a significant portion of Windows users have simply switched from the wide open, malware saturated Windows platform to Apple's Macs and iOS devices. Macs never became a significant malware target, an advantage Apple advertised and worked to preserve.

When it introduced iOS in 2007, Apple incorporated a new security model that attempted to destroy the low hanging fruit supporting the malware market on previous mobile devices.

Apple stated that it "designed the iOS platform with security at its core," detailing that, "when we set out to create the best possible mobile OS, we drew from decades of experience to build an entirely new architecture. We thought about the security hazards of the desktop environment, and established a new approach to security in the design of iOS. We developed and incorporated innovative features that tighten mobile security and protect the entire system by default. As a result, iOS is a major leap forward in OS security."

Apple has since brought many of these protections to its desktop Mac platform, from signed apps to a secure app market and regular free software updates that target and solve vulnerabilities faster than malware authors can build a business around them.

In stark contrast, Google simply recreated Microsoft's malware-harboring platform among mobile devices via Android, allowing third party developers to release "open" apps that can obtain inappropriate access to user content and data.



Google maintains no accountability for the devices that ship with Android, and most devices ship with outdated versions with known security vulnerabilities. Most of these will never receive security updates.
«13456710

Comments

  • Reply 1 of 186
    snovasnova Posts: 1,281member
    yikes
  • Reply 2 of 186
    droidftwdroidftw Posts: 1,009member

    Any stats on infection rates and geographic locations of those most at risk?  No?  I wonder why that could be.

  • Reply 3 of 186
    mstonemstone Posts: 11,510member

    The denial of service capabilities available to the RATs can affect anyone regardless of which platform they use. With the possibilities of millions or even billions of infected Android devices, no one is immune from their DDOS attacks.

  • Reply 4 of 186
    gatorguygatorguy Posts: 24,646member
    An app that at least appeared to have Dendroid code actually made it into Google Play, It was caught before it had been downloaded more than 50 times according to ARS. There's attacks coming at us from all directions anymore.
    http://arstechnica.com/security/2014/03/malware-designed-to-take-over-cameras-and-record-audio-enters-google-play/
  • Reply 5 of 186
    dasanman69dasanman69 Posts: 13,002member
    Troubling indeed.
  • Reply 6 of 186
    gatorguygatorguy Posts: 24,646member

    Google maintains no accountability for the devices that ship with Android... Most of these will never receive security updates.

    The article was actually pretty informative, at least until it strayed into misinformation at the very end. Every Google Android device with 2.3 and above (that's pretty much all of them) have received security updates even if the OS itself is still an older version. Security and feature updates can come directly from Google via Play Services and have.
  • Reply 7 of 186
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Gatorguy View Post



     There's attacks coming at us from all directions anymore.

    Right because there are so many directions that Android apps can take to deliver malware. It is nice that Google Play caught one app but what about all the other ways to download apps for Android? In the old days they would post a link to see Britney nude, now just substitue Taylor Swift or whomever and download away.

  • Reply 8 of 186
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Gatorguy View Post



    Every Google Android device with 2.3 and above (that's pretty much all of them) have received security updates even if the OS itself is still an older version..

    Spin doctoring. What do security updates for older phones have to do with this type of app that bypasses every security protocol in place for even newer phones?

  • Reply 9 of 186
    snovasnova Posts: 1,281member
    Quote:
    Originally Posted by mstone View Post

     
    Quote:
    Originally Posted by Gatorguy View Post



     There's attacks coming at us from all directions anymore.

    Right because there are so many directions that Android apps can take to deliver malware. It is nice that Google Play caught one app but what about all the other ways to download apps for Android? In the old days they would post a link to see Britney nude, now just substitue Taylor Swift or whomever and download away.


    comes with the territory of having the highest market share unfortunately.  When there is a will, there is a way.  

     

    Not sure that sticking your head in the ground and being skeptical of validity of this story is a productive move. Therefore, I am glad Google has acknowledged there is a challenge because they are the #1 target, and hopefully for the sake of their users they will step up the effort, even if it means being less "open".

     

    Just hope its not too late to get the horse back into the barn.

  • Reply 10 of 186
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by snova View Post

     
     Therefore, I am glad Google has acknowledged there is a challenge because they are the #1 target, and hopefully for the sake of their users they will step up the effort, even if it means being less "open".


    Toothpaste cannot be put back in the tube. Google unleashed Android on the world and they can't recall it.

  • Reply 11 of 186
    solipsismxsolipsismx Posts: 19,566member
    RAT has got to be the best acronym for malware.

    gatorguy wrote: »
    Every Google Android device with 2.3 and above (that's pretty much all of them) have received security updates even if the OS itself is still an older version. Security and feature updates can come directly from Google via Play Services and have.

    Sure, they have gotten some security updates with the lateral move Google implemented, which is good, but does that mean that all the holes that are in version 2.3 are now closed as if they were running 4.4? And why have the different versions if the actual OS version doesn't mean anything? And what about the different API versions? 2.3 "Gingerbread is API Level 10 while 4.4 "Kit Kat" is API Level 19. Those have to mean something otherwise why have them at all?
  • Reply 12 of 186
    solipsismxsolipsismx Posts: 19,566member
    mstone wrote: »
    Toothpaste cannot be put back in the tube.

    This sounds like a job for Mythbusters.
  • Reply 13 of 186
    Dan_DilgerDan_Dilger Posts: 1,584member
    Quote:

    Originally Posted by Gatorguy View Post



    [quote name="AppleInsider" url="/t/162893/new-android-rat-infects-google-play-apps-turning-phones-into-spyware-zombies#post_2483375



    Google maintains no accountability for the devices that ship with Android... Most of these will never receive security updates.[/quote]



    The article was actually pretty informative, at least until it strayed into misinformation at the very end. Every Google Android device with 2.3 and above (that's pretty much all of them) have received security updates even if the OS itself is still an older version. Security and feature updates can come directly from Google via Play Services and have.

     

    Android 2.3 has known vulnerabilities that Google is never going to patch. That, and every security and networking company of record on the subject has echoed what Juniper says (a pic even included in the story for you): majority of Android users are unpatched. 

     

    It’s not in Google’s interest, nor that of the carrier or hardware maker, to create and distribute updates. All they want to do is ship volumes as broadly as possible, just like the PC makers who presided over the Windows Malware Era. 

     

    Google turned back the clock after iOS and promised a new world of exciting openness. It was wrong. Android’s "Open" has been a total failure across the platform. 

  • Reply 14 of 186
    dick applebaumdick applebaum Posts: 12,527member
    mstone wrote: »
    The denial of service capabilities available to the RATs can affect anyone regardless of which platform they use. With the possibilities of millions or even billions of infected Android devices, no one is immune from their DDOS attacks.

    How could these denial of service attacks be fended off?
  • Reply 15 of 186
    gatorguygatorguy Posts: 24,646member
    mstone wrote: »
    Spin doctoring. What do security updates for older phones have to do with this type of app that bypasses every security protocol in place for even newer phones?

    Obviously you cover the stuff you can but no consumer OS can catch everything. RAT malware evades Mac defenses too IIRC. Wan't there some email infection going around disguised as FedX or DHL notices a couple months back? I received a couple of those myself but was smart enough to delete them. You can be sure that some folks didn't.

    Still doesn't make the last paragraph of the article true in any event. It isn't. Google has rolled out security updates to essentially ALL Google Android devices whether the manufacturer made an OS update available or not.
  • Reply 16 of 186
    Dan_DilgerDan_Dilger Posts: 1,584member
    Quote:

    Originally Posted by DroidFTW View Post

     

    Any stats on infection rates and geographic locations of those most at risk?  No?  I wonder why that could be.


     

    In whose interest would that be? That’s as dumb as saying President Reagan ignored AIDS for years so it probably wasn’t a real problem.

  • Reply 17 of 186
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by SolipsismX View Post

     
    This sounds like a job for Mythbusters.


    You know Mythbusters actually used one of our products in their show. They called us up to ask permission. The show wasn't about our product, just that they used it to debunk something else.

  • Reply 18 of 186
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by Gatorguy View Post

     
     Google has rolled out security updates to essentially ALL Google Android devices whether the manufacturer made an OS update available or not.


    Push or hunt and seek?

  • Reply 19 of 186
    gtrgtr Posts: 3,231member

  • Reply 20 of 186
    sockrolidsockrolid Posts: 2,789member

    Get ready for some Android Apologist knee-jerk reactions:

     

    1. But most Android users don't even know about Google Play, so they're safe.  Oh wait...

    2. But it only affects the latest 4.4 KitKat release, and almost nobody has that yet.  Oh wait...

    3. So yeah, the RAT affects other releases.  It proves that fragmentation isn't really all *that* bad. Oh wait...

    4. But most Android devices are Chinese no-name knockoffs that don't connect to Google Play anyway.  Oh wait...

    5. But lots of Android devices are Kindle Fires, which are running a non-Google Play fork of Android.  Oh wait...

    6. But 99% of all mobile malware is on Android already, so what's one more little bad app?  Oh wait...

    7. etc.

Sign In or Register to comment.