In the crush of news about the Hacking Team attacks and the subsequent flurry of vulnerabilities, mainly affecting Adobe, there was one piece of critical information for Android users that many have overlooked.
Among the tricks and tools that we’ve discovered the Hacking Team has at their disposal is a particularly nasty piece of Android malware known as RCSAndroid or Remote Control System Android.
This particular piece of malware was sold by the company as a tool for monitoring targets. Unlike other malware, this particular malware was designed to be installed on a phone and never be discovered. It provides whoever installs it with complete, near-invisible control of the Android phone.
Unlike other malware for PCs or Android, this particular malware is optimized to be a true spying tool. Among the things that it does when installed included capturing information about what was on the Android device’s screen, collecting text and SMS messages, gathering email, taking photos. This malware is even optimized to tap phone conversations and turn on the built in microphone to record conversations.
Of course this particular malware was also designed to remain hidden once installed.
And it installs itself by using a thorough and effective combination of exploits and attacks against the Android device. It tries every means it can to get on to the device until it finds one that works.
It turns out that this threat has been around since 2012, but in July it took an important turn for two reasons.
First, with the disclosure of stolen documents from the Hacking Team attacks, researchers like ours were able to tear the malware apart and understand it better. Second, thanks to that new understanding, our researchers were able to confirm a way that the malware could be delivered by way of seemingly-legitimate apps downloaded from Google Play. While the malware itself wasn’t on Google play, other apps that would enable its later installation were. Google has addressed the situation and none of the enabling apps are available on Google Play anymore.
As Android threats go, this was one of the most pernicious and sophisticated we’ve seen. Which isn’t surprising since it was designed for sale for use by private and nation-state intelligence organizations.
While most of us feel unlikely to be the target of sophisticated spying malware like this, now that the tools and tricks behind this malware are available to all, we can expect to see it used more widely by other malware writers. And the fact that this malware is able to be installed by apps that were on Google Play also underscores how dangerous the malware situation on Android can be. After all, we have noted how Android malware crossed the 5 million mark in March 2015.
If you use Android, this is another reminder that using security on Android should be as second nature as using security on Windows PCs. And our research has shown that our own Trend Micro Mobile Security & Antivirus app for Android would be effective in preventing RCSAndroid from successfully installing itself on Android devices.
If you’re concerned about this threat but aren’t currently using Trend Micro Mobile Security & Antivirus, you can go ahead and download it and run a manual virus scan as well as a manual privacy scan.
Unfortunately, this won’t be the last of these kinds of threats. The recent “Stagefright” scare also shows that Android malware and vulnerabilities are becoming more frequent, common and dangerous. So if you’re not running security on your Android device already, this is a good day to change that and better protect yourself moving forward.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.