{
	"id": "7a90363c-07b0-44e6-a860-0d173e155f2e",
	"created_at": "2026-04-06T00:13:50.838502Z",
	"updated_at": "2026-04-10T03:21:39.446817Z",
	"deleted_at": null,
	"sha1_hash": "36371292ed36e80f6a38eb910920246acf8f24ef",
	"title": "Endpoint Protection - Symantec Enterprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 243030,
	"plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-02 12:29:50 UTC\r\nDarwinism is partly based on the ability for change that increases an individual’s ability to compete and survive.\r\nMalware authors are not much different and need to adapt to survive in changing technological landscapes and\r\nmarketplaces. In a previous blog, we highlighted a free Android remote administration tool (RAT) known as\r\nAndroRAT (Android.Dandro) and what was believed to be the first ever malware APK binder. Since then, we have\r\nseen imitations and evolutions of such threats in the threat landscape. One such threat that is making waves in\r\nunderground forums is called Dendroid (Android.Dendoroid), which is also a word meaning something is tree-like\r\nor has a branching structure.\r\nFigure 1. Dendroid advertisement banner\r\nDendroid is a HTTP RAT that is marketed as being transparent to the user and firmware interface, having a\r\nsophisticated PHP panel, and an application APK binder package. The APK binder used by Dendroid just so\r\nhappens to share some links to the author of the original AndroRAT APK binder.\r\nFigure 2. Dendroid control panel\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-\r\na1f9f4d32a80\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 3\n\nAccording to postings on underground forums, the official seller of Dendroid is known as “Soccer.” The seller\r\nmarkets Dendroid as offering many features that have never been seen before and comes with 24/7 support, all for\r\na once off payment of $300 to be paid through BTC, LTC, BTC-e, or other services. Some of the many features on\r\noffer include the following:\r\nDelete call logs\r\nCall a phone number\r\nOpen Web pages\r\nRecord calls and audio\r\nIntercept text messages\r\nTake and upload photos and videos\r\nOpen an application\r\nInitiate a HTTP flood (DoS) for a period of time\r\nChange the command-and-control (C\u0026C) server\r\nFigure 3. Dendroid APK binder\r\nAs previously mentioned, according to reports on underground forums, the author of the Dendroid APK binder\r\nincluded with this package had assistance writing this APK binder from the author of the original AndroRAT APK\r\nbinder.  \r\nThe evolution of remote access tools on the Android platform was inevitable. The creation of Dendroid and the\r\npositive feedback on underground forums for this type of threat shows that there is a strong cybercriminal\r\nmarketplace for such tools. On the PC platform, other crimeware toolkits like Zeus (Trojan.Zbot) and SpyEye\r\n(Trojan.Spyeye) started off in a similar manner and grew quickly in popularity due to their ease of use and\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-\r\na1f9f4d32a80\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 3\n\nnotoriety stemming from the high profile crimes perpetrated as a result of their usage. While this may be early\r\ndays for Dendroid, Symantec will be keeping a close eye on this threat.\r\nTo stay protected, Symantec recommends installing a security app, such as Norton Mobile Security, which detects\r\nthis threat as Android.Dendoroid. For general safety tips for smartphones and tablets, please visit our Mobile\r\nSecurity website.\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=a29d7d7a-f150-46cf-9bb9-a1f9f4d32a80\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-\r\na1f9f4d32a80\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-a1f9f4d32a80\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"report_names": [
		"viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-a1f9f4d32a80\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments"
	],
	"threat_actors": [],
	"ts_created_at": 1775434430,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36371292ed36e80f6a38eb910920246acf8f24ef.pdf",
		"text": "https://archive.orkl.eu/36371292ed36e80f6a38eb910920246acf8f24ef.txt",
		"img": "https://archive.orkl.eu/36371292ed36e80f6a38eb910920246acf8f24ef.jpg"
	}
}