Hacking Team Android malware could hack 500m Android devices

Malware researchers reckon the Hacking Team leak has given criminals a “weaponised” toolset that could be used to hack half a billion Android users.

Researchers at Trend Micro have dissected yet another piece of malware exposed in the 400GB of Hacker Team files leaked by someone last Sunday.

The latest is the Hacking Team’s open-source mobile malware suite dubbed Remote Control System Android or RCSAndroid — the company’s lawful intercept product that helped law enforcement agencies around the world compromise and monitor a target’s Android device. And like many others in the security industry, a Trend Micro researcher is impressed with the firm’s handiwork behind the Android attack tool.

“The RCSAndroid code can be considered one of the most professionally developed and sophisticated Android malware ever exposed,” said Veo Zhang, a mobile threat analyst with Trend Micro.

The real problem, now that the Hacking Team’s files have been leaked, is that just under half of the more than one-billion Android users across the world could become the target of non-government hackers that use the foundations of Hacking Team’s professional surveillance kit to build information-stealing software.

“The leaked RCSAndroid code is a commercial weapon now in the wild,” Zhang noted, adding that it could offer them a “new weaponized resource for enhancing their surveillance operations.”

“Should a device become infected, this backdoor cannot be removed without root privilege. Users may be required the help of their device manufacturer to get support for firmware flashing,” wrote Zhang.

Details of the RCSAndroid were first brought to light by a Citizen Lab report last year however its analysis was derived from leaked technical documentation that Hacking Team provided to its customers in 2013. It revealed an array of modules that enabled an attacker to log keystrokes, access saved passwords, record calls, take screenshots, use the device’s camera, create silent conference calls, record audio and more.

Citizen Lab also found the Hacking Team used a fake news app distributed via Google Play to deliver its payload — a technique that was also confirmed last week by Trend Micro in files from the company.

Read more: Disable Flash now: no patch for two secret Hacking Team Flash Player flaws

Trend Micro’s analysis of RCSAndroid found the same capabilities, but fleshed out a few details. RCSAndroid can, according to Trend, capture real-time voice calls in any network or app; collect passwords for popular apps including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn; collect Gmail messages; and decode messages from messenger apps including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.

Zhang said RCSAndroid had been in the wild since 2012 and used two key methods to lure targets. The first was a specially crafted URL sent by email or SMS that trigger exploits for two vulnerabilities in the default Android browser that shipped with all Android devices prior to Android 4.4.4 (KitKat).

If criminals do leap onto the Hacking Team source code, it could spell troubles for a large portion of Android users with devices that can’t be updated to KitKat. Google’s figures for Android devices hitting the Google Play app store in May show that 48 percent of over one billion Android devices are on pre-KitKat Android and therefore would be vulnerable to Hacking Team’s attack kit.

The other method relies on trickery. Trend Micro discovered the “BeNews” app (ANDROIDOS_HTBENEWS.A) that was distributed on Google Play and used as a vehicle to deliver a Hacking Team shell backdoor, which has an evidence collecting module and another that kicks into action when it appears a user is attempting to purge the malware.

Cybercriminals are also likely not concerned about new legislation that imposes restrictions on the export of intrusion software sold by Hacking Team and others.

The Hacking Team on Wednesday hit back at media reports criticising it for selling its software to repressive governments such as Sudan and Ethiopia, claiming that it was compliant with EU regulations based on the Wassenaar Arrangement when they came into effect in January. Under EU law, Italy is required to regulate the export of intrusion software — now considered a dual-use technology that can be deployed with military or civilian aims — as well as outright weapons.

“The sale of “weapons” have been banned to certain countries. Hacking Team technology has never been categorized as a weapon. At the time of the company’s only sale to Sudan in 2012, the HT technology was not classified as a weapon, arms or even dual use,” said Eric Rabe, Hacking Team’s communications officer.

“In fact, it is only recently that has Hacking Team technology been categorized under the Wassenaar Arrangement as a “dual use technology” that could be used for both civil and military purposes. Dual use technologies are regulated separately from weapon technologies.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags android malwareMalware researchersRemote Control System AndroidRCSAndroidtrend microcybercriminalsHacking Team

More about BlackBerryCSOEnex TestLabEUFacebookGoogleMessengerSkypeTrend MicroTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place