Thursday, March 13, 2014

Dendroidbot Quick Analysis

As I get the sample of Dendroid APK malware I decided to make quick analysis on it. Thanks to +Mila Parkour for the sample.


The original sample is protected with Dexguard to give extra protection on its code as its will appeared to be obfuscated when decompiling.

The following permission can be used once it has been installed:
  • directly call phone numbers
    • read phone status and identity
    • reroute outgoing calls
  • edit your text messages (SMS or MMS)
    • read your text messages (SMS or MMS)
    • receive text messages (SMS)
    • send SMS messages
  • take pictures and videos
  • record audio
  • precise location (GPS and network-based)
  • read call log
    • read your contacts
  • read your Web bookmarks and history
  • modify or delete the contents of your SD card
  • find accounts on the device
  • full network access
    • view network connections
  • retrieve running apps
  • prevent phone from sleeping
  • modify system settings
    • test access to protected storage
As we analyzed the java class, its also can determine if its running on emulator or not. There are many functionality that would be able to completely spy your phone as we going through its java classes.

initiate() load pre-defined configuration with base64 encoded.

Here from VirusTotal detection list:

Although, this sample is an earlier version of Dendroid. Some user might already found recent version of it bind with other application to make it seem legitimate apps.

~ alternat0r

No comments:

Post a Comment