Thursday, March 13, 2014

Dendroidbot Quick Analysis

As I get the sample of Dendroid APK malware I decided to make quick analysis on it. Thanks to +Mila Parkour for the sample.


DB01F96D5E66D82F7EB61B85EB96EF6E
52A30B58257D338617A39643E2216D0C

The original sample is protected with Dexguard to give extra protection on its code as its will appeared to be obfuscated when decompiling.

The following permission can be used once it has been installed:
  • directly call phone numbers
    • read phone status and identity
    • reroute outgoing calls
  • edit your text messages (SMS or MMS)
    • read your text messages (SMS or MMS)
    • receive text messages (SMS)
    • send SMS messages
  • take pictures and videos
  • record audio
  • precise location (GPS and network-based)
  • read call log
    • read your contacts
  • read your Web bookmarks and history
  • modify or delete the contents of your SD card
  • find accounts on the device
  • full network access
    • view network connections
  • retrieve running apps
  • prevent phone from sleeping
  • modify system settings
    • test access to protected storage
As we analyzed the java class, its also can determine if its running on emulator or not. There are many functionality that would be able to completely spy your phone as we going through its java classes.


initiate() load pre-defined configuration with base64 encoded.


Here from VirusTotal detection list:
https://www.virustotal.com/en/file/099a57328de9335c524f44514e225d50731c808145221affdd684d8b4dad5a1d/analysis/

Although, this sample is an earlier version of Dendroid. Some user might already found recent version of it bind with other application to make it seem legitimate apps.


~ alternat0r