New Tool Lets Anyone Turns Android Apps Into Malware

Crime goes commercial: You can now buy a tool online that turns Android apps into malware in just a few simple steps.

Called Dendroid, the tool costs only $300 and comes with 24-hour support. Naturally, the developers accept Bitcoin.

MORE: Mobile Security Guide: Everything You Need to Know

First discovered by security research firm Symantec, Dendroid is a remote access tool (RAT) that "trojanizes" legitimate apps by inserting its malicious code into the application package file, or APK.

Dendroid, whose name is an adjective meaning "treelike" or "branching," can be purchased on underground online markets from a user who goes by "Soccer."  

Dendroid buyers also receive what's called an APK binder, which lets them "bind" Dendroid's functionality into the APK, thus creating an app that looks normal on the outside but is full of malware on the inside.

Criminals can then put the infected app into an Android app market, and anyone tricked into downloading and installing it will be infected. The malware can't trojanize apps that are already downloaded onto your phone.

Dendroidified apps can do just about anything a cybercriminal could want: delete the infected phone's call logs, make it secretly call specific phone numbers, open Web pages, intercept text messages and more. The malware can even access the phone's microphone and camera to silently record calls and take video and photos.

Users can control these features through a command-and-control server, which appears to be included in Dendroid's $300 price.

Mobile anti-malware developer Lookout claims that Dendroid seems designed to get its infected apps into the Google Play store, the official and  most secure Android app store.

"We only detected a single application infected with Dendroid and it has already been removed from the Play Store," Lookout said on its blog. "However, the developer’s account is still open."

Injecting app APKs with malware isn't actually that difficult; cybercriminals have been doing it manually for years. Security researchers have even found other tools like Dendroid for automating the process, most famously the free AndroRAT. But Dendroid makes it easier and more accessible than ever.

To protect against Dendroid and other trojanized apps, make sure you have robust anti-virus protection on your phone and set it to frequently scan for malicious code. You should also only download Android apps from the Google Play store — make sure that "Unknown sources" is unchecked in your security settings — and then only from legitimate developers.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.