PITTSBURGH (AP) — A Carnegie Mellon University student who developed and sold malicious software through an online cybercriminal marketplace that allowed others to remotely control Google Android smartphones has been sentenced to three years' probation.
U.S. District Judge Arthur Schwab also ordered Morgan Culbertson, 22, to perform 300 hours of community service. The native of Churchill, a Pittsburgh suburb, had faced up to 16 months in prison under federal sentencing guidelines. But, he was spared incarceration after his defense attorney and prosecutors acknowledged his lack of a criminal record and efforts to use his prodigious computer skills constructively since he was charged in July 2015.
Culbertson has since helped develop language translation software for a major search engine firm, and mobile malware security software for another company, Schwab said, citing a presentence report.
Assistant U.S. Attorney Jimmy Kitchen described Culbertson as a "youthful" whiz kid "looking for a challenge" — but didn't downplay the very real harm caused by the Dendroid app Culbertson created.
"This is something that was highly invasive, highly dangerous and leaked out through the Darkode forum," Kitchen told the judge.
Culbertson is one of 12 people charged by U.S. authorities in a worldwide takedown of the Darkode.com cybercriminal marketplace. A total of 70 people worldwide have been targeted for allegedly using the cybercriminal marketplace where hackers bought and sold malicious software, and otherwise advertised schemes to infect computers and cellphones with software that could cripple or illegally control the devices.
"I'm very sorry for what I did and I will be haunted by this for the rest of my life," Culbertson told the judge, addressing the court after his parents and old brother read statements vouching for his remorse.
Culbertson is currently on leave from Carnegie Mellon, where he has completed his sophomore year studying electrical computer engineering, but hopes to continue his studies eventually.
Prosecutors haven't said how many phones were actually infected by Culbertson's Dendroid app, but have said he had plans with another Darkode compatriot to sell enough copies of it to infect 450,000 phones.
The Dendroid app was bound by a computer program to other Google apps so that when customers downloaded the apps onto their phones, they were unwittingly downloading Dendroid, too. A hacker who bought Dendroid from Culbertson for $300 to $400 online could control up to 1,500 phones, enabling the hacker to remotely cause the phone to shoot pictures or video, and therefore spy on the phone's owner. The malware also enabled hackers to track the phone owner's internet searches, text messages and other uses.
KItchen said Culbertson worked online with a man identified only as "Mike from the Netherlands" to create Dendroid, then conspired with another man to develop the software that "bound" Dendroid to the Google apps.
Culbertson's online user name was "Android," Kitchen said.
Robert Culbertson, the defendant's father, cried as he told the judge that his son is a "very skilled programmer."
"He wants to bring some good out of this," Culbertson's father said.