The malicious APKs can purportedly intercept, block, and send out SMSes; record ongoing phone calls; take pictures, record video and audio by using the device's camera and microphone; download pictures the device owner has already made, as well as his or her browser history and bookmarks; and extract saved login credentials and passwords for a variety of accounts.
"This means that all a wannabee malware author needs in order to start pumping out infected applications is to choose a carrier app, download it and then let Dendroid’s toolkit take care of the rest."
Sold for $300 (in crypto currencies), the toolkit comes with a warranty that the malware created with it will remain undetected.
The researchers have discovered one app created with Dendroid that managed to get included and offered on Google Play by leveraging anti-emulation detection code that fools Google Play's Bouncer, the automated app scanning service that analyzes apps by running them on Google’s cloud infrastructure and simulating how they will run on an Android device. The app has since been removed from the market. (more)
Why this is important...
It means that any jerk with $300 and some computer skills can turn any other app into your worst nightmare. BTW, it can be detected. q.v. SpyWarn™ — coming soon.
