Source Code leaks for Android RAT Dendroid
Remote Administration Tools (RAT) are quiet common on the Windows platform in the current age but they are a rarity for the Mobile platform. AndroRat is one of the first reported RAT for Android, the next RAT that made news was Dendroid which was first reported in March 2014 and came with a price tag of $300 in underground sites. It gained popularity in a short time owing to its long list of features, but recently it has been making waves again after its source code leaked on GitHub. Dell SonicWALL Threats Research Team obtained a copy of the Dendroid Source Code and in this post we have highlighted some observations from our analysis of this threat.
The leaked code consists of:
- APK Binder
- Dendroid APK
- Dendroid Panel
The binder can be used to fuse a legitimate Android app with the malicious Dendroid app. This modified app can then be used to propagate Dendroid to unsuspecting victims
This apk acts as the payload for the RAT. It has capabilities to execute a wide range of commands, some of them are as follows:
This is the information console where the attacker can view all the details about his bots, issue commands to them and view results of these commands:
The Dendroid apk goes by the package name com.hidden.droidian and requests for the following permissions during installation:
Once installed it appears in the appdrawer with an Adobe Flash icon. In the recent past there have been a number of Android malwares using the Adobe Flash icon, this one follows suit. Upon clicking the app nothing noticeable happens apart from the icon disappearing from the app drawer, but the app continues to run in the background through its Services:
The app has the following Services that run in the background:
Droidian Service contains major bulk of the functions present in the malicious app. In addition, it contains details like URL which the Trojan should communicate with, the database password and other configuration options that can be set from the Panel.
Once this service starts it begins gathering information about the device and informs the attacker about successful infection. The following information is sent to the attacker via a get.php GET packet:
- UID - Used to identify the device
- Service provider
- Phone number
- GPS Co-ordinates that display the location of the device on a small worldmap
- Device Model
- SDK Version Information
- Database Password
Once this packet is received by the server, the attacker is able to see an entry in his Dendroid Panel for this infected device. He can then choose from a large arsenal of commands instructing what he wants to do on the victim device. The commands selected by him get queued in the panel, the malicious apk polls the server for a list of commands whenever the receiver ServiceReceiver gets triggered.
ServiceReceiver gets triggered for the following system events:
- Boot Completed
- SMS Received
- Phone State
- Action External Applications Available
- Quickboot PowerON
ServiceReceiver in turn checks and starts DroidianService if it is not already running, DroidianService then sends the get.php mentioned earlier and checks if there are any commands issued by sending get-functions.php
Once the command is executed on the device the malicious app informs the server about the successful execution via message.php. In the below example we initated the "Screen On" command on the Panel and when the device screen was turned on we observed a TCP packet being sent from the device stating "Screen On Complete"
After the source code leak there are a couple of things happening with regards to Dendroid:
- Security Researchers are analyzing and understanding this tool to strengthen protection against this threat. Some researchers have identified critical vulnerabilities in the Dendroid Panel highlighting loopholes towards Input Validation
- Malware writers are using and modifying the dendroid code to further improve/create new threats. There is already a modified APK Binder in the works and the author claims that he is working on a "new dendroid remake"
We can expect to see more Android RATs that get spawned off Dendroid code/architecture in the near future. As always be careful about where you download apps for your Android device and check the permissions that the app requests during installation and make an informed decision.
Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: AndroidOS.Dendroid.EXP (Trojan)
- GAV: Dendroid.Binder (Trojan)