“TROJANIZING” APPS

Dendroid 'Trojanizer' Turns Apps Into Malware For Just $300

The word "Trojan" is  most related to a virus programme which almost anyone who's used to a computer System can comeby.

And with this in the recent development; the word "Trojan" could be right in your pocket. *winks*

As Crime goes commercial in day-to-day life, it therefore a MUST for you to be very careful.

There’s much latest in regard to the above statement;

Tom’s Guide released this: You can now buy a tool online that turns Android apps into malware in just a few simple steps.

Called Dendroid, the tool costs only $300 and comes with 24-hour support. Naturally, the developers accept Bitcoin.

First discovered by security research firm Symantec, Dendroid is a remote access tool (RAT) that “trojanizes” legitimate apps by inserting its malicious code into the application package file, or APK.

Dendroid, whose name is an adjective meaning “treelike” or “branching,” can be purchased on underground online markets from a user who goes by “Soccer.”  

Dendroid buyers also receive what’s called an APK binder, which lets them “bind” Dendroid’s functionality into the APK, thus creating an app that looks normal on the outside but is full of malware on the inside.

Criminals can then put the infected app into an Android app market, and anyone tricked into downloading and installing it will be infected. The malware can’t trojanize apps that are already downloaded onto your phone.

Dendroidified apps can do just about anything a cybercriminal could want: delete the infected phone’s call logs, make it secretly call specific phone numbers, open Web pages, intercept text messages and more. The malware can even access the phone’s microphone and camera to silently record calls and take video and photos.

Users can control these features through a command-and-control server, which appears to be included in Dendroid’s $300 price.

Mobile anti-malware developer Lookout claims that Dendroid seems designed to get its infected apps into the Google Play store, the official and most secure Android app store.

"We only detected a single application infected with Dendroid and it has already been removed from the Play Store," Lookout said on its blog. "However, the developer’s account is still open."

Injecting app APKs (Android application package file) with malware isn’t actually that difficult; cybercriminals have been doing it manually for years. Security researchers have even found other tools like Dendroid for automating the process, most famously the free AndroRAT. But Dendroid makes it easier and more accessible than ever.

To protect against Dendroid and other "Trojanizing" apps, make sure you have robust anti-virus protection on your phone and set it to frequently scan for malicious code. You should also only download Android apps from the Google Play store — make sure that “Unknown sources” is unchecked in your security settings — and then only from legitimate developers.

CRYPTOCAT ENCRYPTED CHAT APP ARRIVES ON iPhone & iPad

In the news;the encrypted chat app Cryptocat has made it to iPhone and iPad, adding itself to the growing list of privacy-conscious mobile messaging apps.

“Easily have group conversations with your friends without fearing monitoring or interception,” reads the app’s description in Apple’s iTunes Store. “Cryptocat is [a] free, open chat that aims to provide an open accessible Instant Messaging environment with a transparent layer of encryption that’s easy to use.”

Unlike other secure messaging apps — such as Wickr, TextSecure or Silent Text — Cryptocat doesn’t require fixed usernames or accounts. Instead, people can create a disposable username and then start a new conversation or join an existing one.

“There are no buddy lists or account activity or account history to link back to the user,” lead Cryptocat developer Nadim Kobeissi wrote on the Cryptocat blog. “This way, Cryptocat offers a unique ephemerality that makes setting up encrypted conversations immediate and without any lasting history that can be traced back to users.”

Cryptocat apps already exist for several web browsers, including Apple Safari, Google Chrome, Mozilla Firefox and Opera. There’s also a stand-alone client for Mac OS X. The iOS mobile app can interact with any other Cryptocat build.

Asked whether Cryptocat was planning an Android version as well, Kobeissi told Tom’s Guide, “Yes!”

Asked whether he planned to ever make money off Cryptocat, Kobeissi, a recent college graduate based in Montreal, said, “No!”

Cryptocat uses the Off-the-Record Messaging (OTR) protocol to encrypt its messages, but its developers warn that it’s not perfect, and it certainly isn’t safe from prying by the National Security Agency or other intelligence or police services.

“Cryptocat is not a magic bullet,” the Cryptocat Chrome app warns. “You should never trust any piece of software with your life. Cryptocat can’t protect you against untrustworthy people or key loggers, and does not anonymize your connection” as Tor would. (An anonymizing Tor plug-in for several chat applications is in the works.)

Jonathan Zdziarski, a Boston-based expert on extracting data from iOS devices, stressed the Cryptocat iOS app’s limitations in a review he posted on the iTunes Store page.

"The app leaves behind a treasure trove of forensic artifacts that can be lifted from your device if it is ever stolen, hacked or seized by law enforcement," Zdziarski wrote. "All your past typing is logged into Apple’s keyboard cache … The app also intentionally stores the user’s private key, room name, nick[name], buddies and other identifying information in the configuration file."

"If I could figure this out in just a couple of minutes," Zdziarski added, "I’m sure bad guys/feds/etc. are figuring it out too."

Kobeissi told Tom’s Guide that Zdziarski was aiming at the wrong target.

"His comments ignore the threat model," Kobeissi said in an email message. "If you seize any iPhone, surely you can get some data via forensics. Cryptocat’s security goals are protecting data from interception, not protecting your phone from forensics."

Last year, serious flaws in Cryptocat encryption were discovered and patched.

"Every time there has been a security issue with Cryptocat, we have been fully transparent, fully accountable and have taken full responsibility for our mistakes," Kobeissi wrote on the Cryptocat blog following the patch.

 Source: YahooTech