Source Code leaks for Android RAT Dendroid (Aug 29, 2014)


Remote Administration Tools (RAT) are quiet common on the Windows platform in the current age but they are a rarity for the Mobile platform. AndroRat is one of the first reported RAT for Android, the next RAT that made news was Dendroid which was first reported in March 2014 and came with a price tag of $300 in underground sites. It gained popularity in a short time owing to its long list of features, but recently it has been making waves again after its source code leaked on GitHub. Dell SonicWALL Threats Research Team obtained a copy of the Dendroid Source Code and in this post we have highlighted some observations from our analysis of this threat.

The leaked code consists of:

  • APK Binder
  • Dendroid APK
  • Dendroid Panel

APK Binder

The binder can be used to fuse a legitimate Android app with the malicious Dendroid app. This modified app can then be used to propagate Dendroid to unsuspecting victims

Dendroid APK

This apk acts as the payload for the RAT. It has capabilities to execute a wide range of commands, some of them are as follows:

  • Media volume up/down
  • Ringer volume up/down
  • Screen On
  • Record Calls
  • Block SMS
  • Record Audio
  • Take Video
  • Take Photo
  • Send Text
  • Send Contacts
  • Get user accounts
  • Call Number
  • Delete Call Logs
  • Open Webpage
  • Update the app
  • Delete Files ( audio, video, pictures, calls )
  • Get Browser History
  • Get Browser Bookmarks
  • Get Call History
  • Open Dialog Box
  • Get Inbox SMS
  • HTTP flood

Dendroid Panel

This is the information console where the attacker can view all the details about his bots, issue commands to them and view results of these commands:

Infection Cycle

The Dendroid apk goes by the package name com.hidden.droidian and requests for the following permissions during installation:

  • QuickBoot PowerON
  • Internet
  • Access Fine Location
  • Get Tasks
  • Wake Lock
  • Call Phone
  • Write Settings
  • Read Phone State
  • Write External Storage
  • Camera
  • Read SMS
  • Write SMS
  • Send SMS
  • Receive SMS
  • Get Accounts
  • Read History Bookmarks
  • Access Network State
  • Read Contacts
  • Record Audio
  • Process Outgoing Calls

Once installed it appears in the appdrawer with an Adobe Flash icon. In the recent past there have been a number of Android malwares using the Adobe Flash icon, this one follows suit. Upon clicking the app nothing noticeable happens apart from the icon disappearing from the app drawer, but the app continues to run in the background through its Services:

The app has the following Services that run in the background:

  • RecordService
  • DroidianService

Droidian Service contains major bulk of the functions present in the malicious app. In addition, it contains details like URL which the Trojan should communicate with, the database password and other configuration options that can be set from the Panel.

Once this service starts it begins gathering information about the device and informs the attacker about successful infection. The following information is sent to the attacker via a get.php GET packet:

  • UID – Used to identify the device
  • Service provider
  • Phone number
  • GPS Co-ordinates that display the location of the device on a small worldmap
  • Device Model
  • SDK Version Information
  • Database Password

Once this packet is received by the server, the attacker is able to see an entry in his Dendroid Panel for this infected device. He can then choose from a large arsenal of commands instructing what he wants to do on the victim device. The commands selected by him get queued in the panel, the malicious apk polls the server for a list of commands whenever the receiver ServiceReceiver gets triggered.

ServiceReceiver gets triggered for the following system events:

  • Boot Completed
  • SMS Received
  • Phone State
  • Action External Applications Available
  • Quickboot PowerON

ServiceReceiver in turn checks and starts DroidianService if it is not already running, DroidianService then sends the get.php mentioned earlier and checks if there are any commands issued by sending get-functions.php

Once the command is executed on the device the malicious app informs the server about the successful execution via message.php. In the below example we initated the “Screen On” command on the Panel and when the device screen was turned on we observed a TCP packet being sent from the device stating “Screen On Complete”

After the source code leak there are a couple of things happening with regards to Dendroid:

  • Security Researchers are analyzing and understanding this tool to strengthen protection against this threat. Some researchers have identified critical vulnerabilities in the Dendroid Panel highlighting loopholes towards Input Validation
  • Malware writers are using and modifying the dendroid code to further improve/create new threats. There is already a modified APK Binder in the works and the author claims that he is working on a “new dendroid remake”

We can expect to see more Android RATs that get spawned off Dendroid code/architecture in the near future. As always be careful about where you download apps for your Android device and check the permissions that the app requests during installation and make an informed decision.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: AndroidOS.Dendroid.EXP (Trojan)
  • GAV: Dendroid.Binder (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.