The massive (and wonderful) data theft from Hacking Team has revealed that Italian spyware maker was using a fake Android app as a backdoor method of distribution for its Remote Control System. The app, BeNews, which stole the name of a now-defunct news website to feign legitimacy, was uncovered by Trend Micro’s Wish Wu yesterday.
“We believe that the Hacking Team provided the app to customers to be used as a lure to download RCSAndroid malware on a target’s Android device,” writes Wu.
Wu reveals further details on the malicious app and which Android devices it can affect:
“The backdoor, ANDROIDOS_HTBENEWS.A, can affect, but is not limited to, Android versions starting from 2.2 Froyo to 4.4.4 KitKat. It exploits CVE-2014-3153 local privilege escalation vulnerability in Android devices. This flaw was previously used by the root exploit tool TowelRoot to bypass device security, open it for malware download, and allow access to remote attackers.
Looking into the app’s routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google’s security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once the victim starts using it.”
Wu found the source code for BeNews within the 400GB of stolen data from Hacking Team, a company that has been hammered for its flagrant disregard for civil liberties and human rights. Following the breach, Hacking Team has taken a defiant stance, revealing that it intends to develop a new version of its Remote Control System spyware in order to resume what it describes as its “criminal and intelligence investigations.”
Thank you CSO for providing us with this information.