A binder tool that turns legitimate Android apps into trojans may be a dream come true for criminals with ill intent but little skill or patience to craft their own malicious code.
Binders were the first tools that easily allowed users to repackage and make trojans of legitimate Android apps. The AndroRAT APK Binder (Remote Access Trojan) was sold for $37 on underground forums as of November.
AndroRAT could make calls and send text messages, operate the microphone and camera, and access victims' GPS coordinates and other data stored on the device.
It contained a simple grpahical user interface and control panel, according to Symantec principal security response manager Vikram Thakur.
“The binder will ask you for a clean application, and ask where you want to set up your command-and-control server,” Thakur said.
“Someone who doesn't need to know anything about code can do this for about 40 bucks. Eventually, you are going to have to distribute that trojanised application yourself, but it will give you the code. It just spits out the package for the application."
So far, fewer than 1000 devices worldwide have been infected with AndroidRAT, also known as Dandro, with the majority of cases in the United States and Turkey.
Symantec researchers have tracked a rise in infection numbers recently, however, and expect incidents to increase as fraudsters continue to develop tools, like binders, to spread Android remote access trojans.
About 23 popular apps have been infected with AndroRAT, Symantec found, though none have been detected in the official Google Play store.
Thakur added that one red flag among the apps infected with AndroRAT is that they are usually available for free in third-party stores, while the clean versions of the apps required payment.