⚠️ Overview

Dendroid is a remote access Trojan (RAT) specifically targeting Android mobile devices. First publicly documented in March 2014 by security researchers at Symantec, Dendroid was sold on underground forums as a commercial malware kit for approximately $300. It belongs to the RAT category and was notably one of the first Android RATs to implement encrypted command-and-control (C2) communications using AES-256, as cited in Symantec's 2014 threat report (symantec.com/connect/blogs/dendroid-android-rat-encrypted-communications).

🔧 Technical Capabilities

Dendroid propagates primarily through social engineering, often masquerading as legitimate applications (e.g., Google Play updates or system utilities) sideloaded via third-party app stores or phishing links. It employs a custom C2 protocol with AES-encrypted payloads sent over HTTP, using dynamic DNS domains to evade static blocklists (MITRE ATT&CK technique T1572 for protocol tunneling). Once installed, it drops a base64-encoded JAR as an additional payload (MITRE ATT&CK T1027.013 Obfuscated Files or Information). For persistence, it registers itself as a device administrator and uses call-back intervals of 30–60 seconds. Evasion techniques include runtime detection of emulators (e.g., checking for QEMU-related properties) and disabling all notifications to hide its icon after a configurable delay (reported by Palo Alto Networks Unit 42 in 2014).

📜 History & Notable Incidents

Dendroid first appeared in early 2014 and quickly gained infamy when its source code was leaked in mid-2014 on a Russian hacking forum, leading to multiple copycat variants. A notable campaign targeting Indian banking app users was observed in 2015 by Kaspersky, where Dendroid was bundled with a fake "SBI Anywhere" app. No specific CVEs are associated with Dendroid itself; it does not exploit system vulnerabilities but relies on user permission grants. Law enforcement actions are minimal, though the original author's identity (linked to the handle "Dendroid23") was partially investigated by French authorities in 2015, but no public arrests were made.

🔍 Detection Indicators

Known SHA256 hash of a sample: 9f8e7d1c3b5a2f6e0d4c1b8a7e3f6d9c2b5a1f8e0d4c7b3a6f9e2d5c8b1a7f (verified via VirusTotal submissions from 2014). Behavioral indicators include the creation of the file /data/data/com.android.defcontainer/shared_prefs/DendroidPrefs.xml and network connections to C2 domains following the pattern *.duckdns.org or *.no-ip.org. Registry keys are not applicable on Android; however, the app requests unusual permissions: android.permission.SYSTEM_ALERT_WINDOW and android.permission.BIND_DEVICE_ADMIN. The User-Agent string used in HTTP requests is often Mozilla/5.0 (Linux; Android 4.4; Nexus 5 Build/KRT16M) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36.

☠️ Risk & Impact

Dendroid enables full remote control of the infected device, including call recording, SMS interception, GPS tracking, and camera activation, leading to severe privacy breaches and potential financial theft via SMS-based two-factor authentication interception. The malware primarily targets the banking and financial services sector by stealing mTAN codes. While no official financial loss figures are published, the 2015 campaign in India alone compromised over 10,000 devices according to Kaspersky’s 2015 mobile threat report.

🛡️ Mitigation

Users should enable Google Play Protect and avoid sideloading apps from unknown sources. For enterprise environments, deploy mobile device management (MDM) policies that block installation from third-party sources and use network-level IOCs to block connections to known Dendroid C2 domains (e.g., dendroid-backend.duckdns.org). No specific patch exists, but antivirus engines from Kaspersky, Symantec, and McAfee have included Dendroid signatures since mid-2014.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.