A former FireEye intern has pleaded guilty to creating and selling the Dendroid malware on the raided Darkode criminal forum.
Morgan Culbertson, 20, of Pittsburgh, pleaded guilty before a Pittsburgh federal judge and faces sentencing 2 December.
He faces a maximum of 10 years prison and a $250,000 fine, and has no prior criminal convictions.
"I committed the crime, so I am responsible," Culbertson told Senior U.S. District Judge Maurice Cohill Jr. Tuesday, Associated Press reports.
"I understand what I did was wrong and I take full responsibility.
"I would like in the future to use may skills to help protect people."
Dendroid had the capacity to infect some 1,500 phones for each buyer.
The one-time blackhat had sold his Dendroid remote access trojan for Android phones on the infamous Darkode forums while interning with security firm FireEye as part of its advanced persistent threat team.
He was arrested after the notorious forum was raided and taken down by FBI and other federal law enforcement agencies last July.
Culbertson hoped to infect some 450,000 phones with his malware but it is not known how many copies of Dendroid he sold.
He asked for US$350 for the toolkit and US$65,000 for the source code.
Dendroid is a sophisticated toolkit allowing thieves to evade Google's Play Store security controls, dubbed Bouncer, by using anti-emulation to prevent execution of malcode.
"Dendroid offers a full command and control infrastructure with a control panel every bit as feature rich as some of the more sophisticated Russian botnets," Lookout Security researcher Marc Rogers said in analysis published last year. Darkode went dark for a time after the raid, then appeared to have resurfaced with new security controls and more vetted members and staff. At the time of writing the address Darkode.cc is inaccessible.
Damballa senior threat researcher Loucif Kharouni says forum administrator known as Sp3cal1st who claims to be rebuilding the new Darkode will not be able to regain the trust of the criminal underground. ®