20 Year Old Teen Sold Dendroid For More Money To Enable Buyers To Create Their Own Customized Version Of The Malware
Morgan Culbertson, a former student at the cybersecurity company FireEye, pleaded guilty Tuesday in federal court to designing a malicious software tool that gives hackers the ability to remotely control the functions of Android phones and also charged with conspiring to send malicious code. The tool kit known as Dendroid, was sold by Culbertson in the Darkode dark Net marketplace.
Dendroid was a software toolkit used to create trojanised applications that infects Android-based smartphones. The malware is created by modifying the required permissions by any clean APK (Android Application Package) with Dendroid RAT functionality that allows detailed management of the infected devices. The virus allows hackers to place phone calls, intercept text messages coming in or going out, open applications, and delete call logs. Due to the intricacies of Dendroid, its users are able to sneak infected applications into the Google Play store.
According to a Darkode post by “Android” in October 2013, the virus took “1.3 years to fully develop.” At the time of the creation of the malware, Culbertson was about 17 years old. He is a graduate of the private Winchester Thurston School, in Shadyside.
Though “Dendroid” was advertised on Darkode in October 2013, the virus drew concern from the security community until March 2014, when American tech company Symantec discovered the malware.
By late March, Dendroid had targeted Android users in India, warranting a security advisory from CERT-In, the Computer Emergency Response Team of India.
As quoted by the Pittsburgh Post-Gazette, Culbertson said in Pennsylvania federal court “I am sorry to the individuals to whom my software may have compromised their privacy. I committed the crime.”
At 20 years old, Culbertson is one of the youngest individuals being investigated. He listed Dendroid for $300 on Darkode, from where the members of the Lizard Squad hacking collective and other nefarious customers were able to purchase Dendroid before the site was shut down. He also offered to sell the source code for Dendroid for more money, to allow buyers to create their own customized version of the malware.
Culbertson faces a $250,000 fine and a maximum of 10 years in prison.