Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0301: Dendroid

Dendroid is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.[1]

MobileS0301MalwareObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Dendroid is an Android remote access tool described by ATT&CK as being bundled with a utility to inject the RAT into legitimate applications. For leaders, the practical concern is mobile trust: a user may believe they installed a normal app while the device can be used to capture credentials through fake prompts, record audio or video, access local data, and interact with SMS. This matters most where Android devices touch corporate identity, messaging, sensitive conversations, or regulated data.

Executive priority

Treat this as a mobile security and identity-risk validation point rather than a single malware signature. Executives should ask whether Android devices with business access are governed by app provenance controls, permission monitoring, mobile threat detection, and incident response procedures for suspected microphone/camera/SMS abuse. The ATT&CK object provides no official detection guidance, so audit evidence should focus on whether the organization can prove which apps are installed, what permissions they hold, and whether suspicious mobile behaviors would be escalated.

Technical view

SOC, detection, and IR teams should validate coverage for Android behaviors linked to Dendroid’s ATT&CK relationships: GUI input capture, audio capture, video capture, local data access, SMS control and SMS collection, system checks for analysis avoidance, and masquerading as legitimate app names or locations. Because the object has no specified tactics and no official detection text, detections should be behavior-led: unusual permission combinations, apps mimicking trusted packages/icons, SMS handler changes or SMS send/receive access, access to SMS content providers, microphone/camera use by unexpected apps, and signs that an app behaves differently in sandbox or analysis environments.

Likely telemetry

  • Android application inventory, package names, signing/provenance, icons, install source, and app location metadata
  • Android permission grants and permission-change history, especially microphone, camera, SMS, and local storage/data access
  • Mobile device management or mobile threat defense alerts for risky/sideloaded/repackaged applications
  • Microphone and camera access events where available from device, OS, or mobile security tooling
  • SMS send/receive activity, default SMS handler changes, and SMS content provider access where available

Detection direction

  • Confirm whether mobile telemetry can distinguish legitimate apps from apps that only match a trusted name, icon, package-like naming pattern, or installation location.
  • Tune for suspicious combinations rather than single permissions alone; camera, microphone, SMS, and local data permissions can be legitimate but become higher risk when present in unexpected app categories or newly installed/repackaged apps.
  • Validate that Android SMS behaviors are visible, including SEND_SMS, RECEIVE_SMS, default SMS handler status, and access to SMS message stores where supported by tooling and policy.
  • Include mobile identity context: prioritize alerts from devices that access corporate email, SSO, collaboration tools, regulated data, or privileged workflows.
  • Account for blind spots: ATT&CK provides no official Dendroid detection logic, and mobile OS privacy controls, BYOD limits, and incomplete MDM enrollment can prevent collection of needed evidence.

Mitigation priorities

  • Prioritize app provenance controls for Android devices with business access, including restrictions or review processes for sideloaded, repackaged, or untrusted applications.
  • Enforce least-privilege mobile permissions and review apps requesting microphone, camera, SMS, or broad local data access without a clear business need.
  • Use MDM or mobile security controls to maintain app inventory, flag risky applications, and support quarantine or access revocation for suspect devices.
  • Protect corporate identity access with conditional access or equivalent policy decisions tied to device posture where available.
  • Prepare IR playbooks for suspected mobile RAT activity, including device isolation, preservation of app/permission/SMS evidence, credential reset decisions, and review of data accessible from the device.
Analyst notes and limits

The most decision-useful part of this ATT&CK entry is the relationship set: Dendroid is associated with Android behaviors that affect confidentiality, identity capture, and device-mediated surveillance. The object’s description also notes availability for purchase and injection into legitimate applications, which makes app provenance and impersonation controls especially relevant. No attribution or current exploitation claim is made here.

ATT&CK provides no official detection section, no aliases, no specified tactics, and only Android as the supported platform for this malware object. The related techniques include some Android/iOS descriptions, but Dendroid itself should be treated as Android-only based on the supplied object. Local telemetry availability will depend heavily on MDM enrollment, BYOD policy, Android version, mobile security tooling, and privacy constraints.

Official MITRE ATT&CK definition

Dendroid

Dendroid is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Mobile T1633.001 System Checks Sub-technique

Dendroid can detect if it is being ran on an emulator.CitationLookout-Dendroid
Mobile T1636.004 SMS Messages Sub-technique

Dendroid can intercept SMS messages.CitationLookout-Dendroid
Mobile T1417.002 GUI Input Capture Sub-technique

Dendroid can open a dialog box to ask the user for passwords.CitationLookout-Dendroid
Mobile T1533 Data from Local System

Dendroid can collect the device’s photos, browser history, bookmarks, and accounts stored on the device.CitationLookout-Dendroid
Mobile T1655.001 Match Legitimate Name or Location Sub-technique

Dendroid can be bound to legitimate applications prior to installation on devices.CitationLookout-Dendroid
Mobile T1582 SMS Control

Dendroid can send and block SMS messages.CitationLookout-Dendroid
Mobile T1429 Audio Capture

Dendroid can record audio and outgoing calls.CitationLookout-Dendroid
Mobile T1512 Video Capture

Dendroid can take photos and record videos.CitationLookout-Dendroid
Relationship explorer

All related ATT&CK context

uses · Technique T1633.001: System Checks Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1417.002: GUI Input Capture Mobile uses · Technique T1533: Data from Local System Mobile uses · Technique T1655.001: Match Legitimate Name or Location Mobile uses · Technique T1582: SMS Control Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1512: Video Capture Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
05855791206cdc69...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 05855791206c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lookout-Dendroid

    Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.

    Open source URL
  2. [2]
    Dendroid

    (Citation: Lookout-Dendroid)

  3. [3]
    mitre-attack S0301
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use