New Tool Makes Android Malware Easier To Create

itwbennett writes "A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware. Security researchers from Symantec said Wednesday in a blog post that the tool, called Dendroid, is marketed by its creators as an Android remote administration tool (RAT) and is being sold for $300."

Be nice to see something like this legit

[rsilvergun]

For what it's woth, these are the kind of tools you need to see Android in the enterprise.

doesn't effect XP

[turkeydance]

XP lives! well, for a few more days, after which it lives forever.

Re:Oh great idea guys. A Virus SDK for Android

[viperidaenz]

I just bought a new phone. There's instructions on the manufactures website for unlocking the bootloader https://motorola-global-portal...
From there all you need is the included usb cable and Superboot.

No new firmware is flashed in the process, just a couple of files copied.

Re:Oh great idea guys. A Virus SDK for Android

iOS has yet to have a single piece of malware in the wild for it. By keeping the dolts from hosing their own systems, Apple has kept effectively 100% security on their devices going on almost a decade without a single malware occurrence in the wild (other than JBs.)

Can this be said about any other widespread ecosystem in the computing arena? No malware whatsoever in the wild for that long is a pretty top tier achievement.

Whadda deal!

[Marginal+Coward]

... the tool, called Dendroid, is marketed by its creators as an Android remote administration tool (RAT) and is being sold for $300.

Or, you get it for get it for FREE with a two-year contract.

Re:Oh great idea guys. A Virus SDK for Android

[mlts]

If there is an Android based audio head that has the same functionality as CarPlay, it almost definitely will not be vulnerable to this type of malware (although I'm sure malware can be injected somehow):

1: The functionality to add apps will be a lot more restricted than a phone the typical and app store. I doubt that there will be the option for sideloading, much less ADB access. Slam this door shut, and this effectively gets rid of malware. Reducing the install points of all software and being an active, brutal guardian is one of the reasons iOS has had a good reputation for security over time.

2: Android can be made pretty secure, especially with SELinux set to enforcing in Android 4.4 as opposed to permissive. Even if something gets root, the OS is still pretty well locked down.

3: Most device makers have solid ways to turn filesystems read-only, even to root, so even if malware got its way unfettered by SELinux, it might be able to hose a partition or two, but couldn't attach somewhere so it could be started on the next device reboot. Again, not 100%, but an effective measure.

4: Android's existing app permission model will be good enough for a car audio head, since in general, one wouldn't be adding apps to it, apps would be on the smartphone or tablet.

iOS integration is nice, but it means only three phones (the iPhone 5, the iPhone 5c, and iPhone 5s) will work with CarPlay. That isn't that many devices, and I'm sure the people running Android will be demanding a decent audio/map experience as well.

I would guess carmakers will solve this by including CarPlay and an Android based analog that provides similar functionality.

Less Intelligent?

[jawnah]

This would appear to be a solution marketed to the less intelligent software developers and schemers. The tool's "dashboard" is hosted by the tool creators. Let me help you out: You do all the work of baking our toolkit into your stuff and, at some random point in the future, we'll take the client off your hands at no charge.

Re:Less Intelligent?

[IamTheRealMike]

Such tools have been around for a long time in the Windows world. The reason is division of labour. One of the dirty secrets about malware that lots of people hate to hear is that vast quantities of it get in through people pirating software and movies (which demand special "codecs"). After all why bother finding zero day exploits when you can just bind your malware to a Photoshop crack and watch hundreds of thousands of people come to you?

The opportunity is so vast that the black market divided into different job categories. There were the spammers who would buy bots from bot bot herders. The herders would buy "installs" of their bots from installers. The installers would buy binders from binder developers, obtain cracked versions of popular programs, use the binders to join the bots with the apps and then upload them to torrent sites. The installers weren't programmers so binders needed point and click GUIs, but that's OK, the value add they provided was knowing how to get around the blocks the torrent sites tried (uselessly) to put in place to stop this, along with simple brute force of numbers.

Often binders would also be combined with tools called crypters, which do what you'd expect, they just polymorphically encrypt the newly bound crack+app. Crypter developers competed based on how "FUD" their product was (fully undetectable). When AV companies learned to spot their decryption stubs, they'd modify it a bit and release a new version.

I watched this market for a little while a few years ago which is how I know all this lingo. It appeared to be a large and thriving industry. All driven by the greed of pirates.

So buy our anti-virus software!

[THE_WELL_HUNG_OYSTER]

See! See why we're important! You need to buy our software, and quickly!

That is why we need One Way Internet Communication

[pii9088]

If we would have an Android service that would allow only downloads but not uploads, users would not accept so easily apps with Full Network Access Permissions. Coincendantly I am working at a sollution. Please excuse the shameless ad here: https://www.kickstarter.com/pr...

Not really big news

[steveha]

The biggest part of this story is that it is now easier to make a trojanized version of a legit app. But it has been possible from day one.

Android apps are written in Java, and Java bytecodes can be decompiled into something remarkably similar to the original source code. Then the source code can be edited and complied back to an app. Hey presto, you have a hacked up version of the app.

http://stackoverflow.com/questions/12370326/decompile-an-apk-modify-it-and-then-recompile-it

But -- and this is important -- the person using this attack has no way to sign the malware with the same signing key as the upstream source of the original, legit app. This means that it is much harder to trick someone into running the malware.

So, if you get an app from the Google Play store, and later someone tries to overwrite your app with a new build that is malware-infected, Android will refuse to install the new app, because the signing key isn't identical.

http://developer.android.com/tools/publishing/app-signing.html

So, if a user gets an email with an attached "free" version of an app that normally costs money, and that user has not previously installed the legit version of the app, and that user sideloads the malware version, then that user will have malware on his/her Android device.

So, as usual, it's easy to protect yourself: get apps from the Google Play store, and don't sideload apps unless you are certain they are clean.

For that matter, if you are browsing the Google Play store and you see an app that has only been up for a day, and claims to be a miraculously free version of a payware app... just say no.

Re:Oh great idea guys. A Virus SDK for Android

[noh8rz10]

as the article says, the malware is a trojan that the user downloads and it scrapes the address book. it never breaks out of its sandbox into neighboring systems. it doesn't pwn your phone. hate to move the goalposts on you, but show me something that's not a single-user trojan.