A Carnegie Mellon University student and former FireEye intern pleaded guilty on Tuesday to designing the “Dendroid” malware and attempting to sell it on the recently-busted Darkode. Morgan C. Culbertson, 20, admitted to having created the sophisticated Android hijacker to a Pittsburgh federal court, and now faces up to 10 years in prison and $250,000 in fines.
Culbertson offered Dendroid for sale on Darkode for $300, and the source code was offered for $65,000, though his lawyer says he was unsuccessful selling the code, the Pittsburgh Post-Gazette reports. Despite that, The Register reports that FireEye had called Dendroid its chief enemy. FireEye posted a threat report referring to Dendroid in March 2014, just a couple of months before Culbertson started a 12-week internship at the security company, according to his LinkedIn profile. Among his experience, Culbertson said that he completed the internship with the Advanced Persistent Threat team’s Mobile Malware Research unit.
“I improved Android malware detection by discovering new malicious malware families and using a multitude of different tools, automation techniques and decompiling analysis heuristics,” Culbertson says on LinkedIn. FireEye confirmed to The Register that Culbertson was an intern there.
A 2014 blog post by Marc Rogers of security firm Lookout compared Dendroid favorably to the more feature-rich Russian botnets, saying it was “a step change upwards in the complexity of all-in-one malware toolkits for Android.”
Darkode was taken down and numerous members arrested in July as the culmination of an investigation led by the FBI’s Pensylvania field office. It was back online a couple of weeks later, with new security measures, but it remains to be seen if it will reach the criminal status of its former version.
Security expert Graham Cluley urges security companies to carefully consider the character of new hires, given the privileged knowledge and position that comes with working for a successful cybersecurity firm.