A former intern at a security firm pleaded guilty to creating and selling the Dendroid malware on the raided Darkode forum.
Morgan Culbertson, 20, of Pittsburgh, PA, pleaded guilty before a federal judge in Pittsburgh and will end up sentenced Dec. 2.
He faces a maximum of 10 years in prison and a $250,000 fine. He has no prior criminal convictions.
“I committed the crime, so I am responsible,” Culbertson told Senior U.S. District Judge Maurice Cohill Jr. Tuesday. “I understand what I did was wrong and I take full responsibility. I would like in the future to use may skills to help protect people.”
Dendroid had the capacity to infect 1,500 phones for each buyer.
The one-time blackhat had sold his Dendroid remote access Trojan for Android phones on the infamous Darkode forums while interning with security firm FireEye as part of its advanced persistent threat team.
Police arrested him after law enforcement officials raided the forum and took it down last July.
Culbertson hoped to infect some 450,000 phones with his malware but no one knows how many copies of Dendroid he sold. He asked for $350 for the toolkit and $65,000 for the source code.
Dendroid is a sophisticated toolkit allowing thieves to evade Google’s Play Store security controls, called Bouncer, by using anti-emulation to prevent execution of malcode.