Carnegie Mellon University student Morgan C. Culbertson on Tuesday admitted in federal court to designing and trying to sell malware that allowed users to take control of other people’s Android phones.
“I am sorry to the individuals to whom my software may have compromised their privacy,” Mr. Culbertson said in pleading guilty to conspiracy to damage protected computers.
He told U.S. District Judge Maurice Cohill Jr. that he was pleading guilty because “I committed the crime” and promised that in the future he would use his skills to protect computer users.
Mr. Culbertson, 20, of Churchill, faces up to 10 years in prison when Judge Cohill sentences him in December, although he is unlikely to get anywhere near the maximum.
Assistant U.S. Attorney James Kitchen said that in 2013 Mr. Culbertson, who called himself “Android” online, conspired with another man, “Mike” from the Netherlands, to design a product called Dendroid and sell it on Darkode, an online marketplace for criminals and hackers.
Dendroid infected victims’ phones, allowing a customer who had bought the malware to spy on texts, pilfer files, take photos, review browser history and record conversations, all without the owners’ knowledge.
Mr. Culbertson later bought out Mike’s share of the partnership and started working with another individual identified as “Elzig,” Mr. Kitchen said, in an attempt to market Dendroid on Darkode.
Mr. Culbertson advertised the malware on Darkode for $300, saying he had spent “1.3 years” designing it, and also tried to auction the source code that would allow buyers to create their own version of Dendroid.
FireEye said in a statement that it had suspended Culbertson from future work at the company. It’s believed he was interning in summer 2014 as well as 2013.
One major concern for the company might be that Culbertson could have used confidential FireEye research to hone his malware.