spidey

Dendroid is a Android RAT tool and has been discussed over various security portals since last few months. This RAT is capable of proxying/intercepting SMS, calls, stealing passwords, dumping screenshots and accessing camera and mic.



I used Android APK Decompiler, an online service to decompile the APK to its sourcecode. It was really helpful.



Configs in AndroidManifest.xml file:

Code:

<?xml version="1.0" encoding="utf-8"?>
<manifest android:versionCode="2" ="2.0" package="com.adobe.flash13"
  xmlns:android="http://schemas.android.com/apk/res/android">
    <uses-permission ="android.permission.RECEIVE_BOOT_COMPLETED" />
    <supports-screens ="true" ="true" ="true" />
    <application ="@style/Invisible" ="@string/app_name" ="@drawable/launcher">
        <activity ="com.connect.Dendroid" ="true">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity ="o.If$ᐧ" ="true" />
        <activity ="com.connect.CaptureCameraImage" ="true" />
        <activity ="o.･$ˍ" ="true" />
        <activity ="o.Aux" ="true" />
        <service ="com.connect.MyService" ="true" ="true" />
        <service ="o.aux$ʹ" />
        <receiver ="com.connect.ServiceReceiver" ="true" ="true">
            <intent-filter ="1000">
                <action android:name="android.intent.action.BOOT_COMPLETED" />
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
                <action android:name="android.intent.action.PHONE_STATE" />
                <action android:name="android.intent.action.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE" />
                <action android:name="android.intent.action.QUICKBOOT_POWERON" />
            </intent-filter>
        </receiver>
    </application>
    <uses-permission ="android.permission.QUICKBOOT_POWERON" ="false" />
    <uses-permission ="android.permission.INTERNET" ="true" />
    <uses-permission ="android.permission.READ_SMS" ="true" />
    <uses-permission ="android.permission.WRITE_SMS" ="true" />
    <uses-permission ="android.permission.GET_ACCOUNTS" ="true" />
    <uses-permission ="com.android.browser.permission.READ_HISTORY_BOOKMARKS" />
    <uses-permission ="android.permission.ACCESS_NETWORK_STATE" ="true" />
    <uses-permission ="android.permission.READ_CONTACTS" ="true" />
    <uses-permission ="android.permission.ACCESS_FINE_LOCATION" ="true" />
    <uses-permission ="android.permission.GET_TASKS" ="true" />
    <uses-permission ="android.permission.WAKE_LOCK" ="false" />
    <uses-permission ="android.permission.CALL_PHONE" ="true" />
    <uses-permission ="android.permission.SEND_SMS" ="true" />
    <uses-permission ="android.permission.WRITE_SETTINGS" ="false" />
    <uses-permission ="android.permission.READ_PHONE_STATE" ="false" />
    <uses-permission ="android.permission.WRITE_EXTERNAL_STORAGE" ="true" />
    <uses-permission ="android.permission.CAMERA" ="true" />
    <uses-permission ="android.permission.RECORD_AUDIO" ="false" />
    <uses-permission ="android.permission.PROCESS_OUTGOING_CALLS" ="true" />
    <uses-permission ="android.permission.RECEIVE_SMS" ="true" />
    <uses-feature ="android.hardware.camera" ="false" />
    <uses-feature ="android.hardware.camera.front" ="false" />
    <uses-feature ="android.hardware.camera.autofocus" ="false" />
    <uses-feature ="android.hardware.microphone" ="false" />
</manifest>

In the above config the uses-permission ="android.permission.RECEIVE_BOOT_COMPLETED" and receiver ="com.connect.ServiceReceiver" allows the app to start on boot and intercept SMS recieved. Further, the other uses-permission tags allows the malware to get privileges for the other RAT activities. The config application ="@style/Invisible" ="@string/app_name" ="@drawable/launcher" makes the malware invisible when active.

One of the files had the C2 configs as Base64 encoded strings. The malware uses a hard-coded key, which is sent in plain-text to authenticate itself with the server. Its not the admin's credential.



The bot owner in this case was targeting Russian users and was eavesdropping in their personal life. The motive is unknown.

Sneak Peak:

Login:


Settings:


DB:


The panel also contained various screen caps, stolen images from Camera and Gallery and intercepted text messages.

The C2 panel's code is a mess and the browser gets heavy. I guess, this will kill the RAT itself. C2 seems dead as of today.

Have a nice day
-
Spidey
https://twitter.com/5pld3y