We analyzed the recent Hacking Team dump and found a sample of a fake news app that appears to be designed to circumvent filtering in Google Play. This is following news that iOS devices are at risk of spyware related to the Hacking Team. The fake news app was downloaded up to 50 times before it was removed from Google Play on July 7.
The “BeNews” app is a backdoor app that uses the name of defunct news site “BeNews” to appear legitimate. We found the backdoor’s source code in the leak, including a document that teaches customers how to use it. Based on these, we believe that the Hacking Team provided the app to customers to be used as a lure to download RCSAndroid malware on a target’s Android device.
The backdoor, ANDROIDOS_HTBENEWS.A, can affect, but is not limited to, Android versions starting from 2.2 Froyo to 4.4.4 KitKat. It exploits CVE-2014-3153 local privilege escalation vulnerability in Android devices. This flaw was previously used by the root exploit tool TowelRoot to bypass device security, open it for malware download, and allow access to remote attackers.
Figure 1. Screenshots of the ‘BeNews” Android app by Hacking Team
Looking into the app’s routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google’s security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once the victim starts using it.
Figure 2. Screenshots of dynamic loading code path src/libbson/bson.cpp
Leaked Code Includes How-To and Google Play Account
We also found the source code of the backdoor and its server among the Hacking Team dump. The document labeled “core-android-market-master.zip” includes detailed instructions on how customers can manipulate the backdoor as well as a ready-made Google Play account they can use.
Figure 3. Document for manipulating BeNews server settings
Figure 4. Document for managing the backdoor in Google Play
With the proliferation of efforts similar to Hacking Team’s, end users need to stay alert for updates on the security front. This includes the mobile landscape as well. To protect mobile devices from threats that try to bypass built-in Google Play security measures, Trend Micro offers security for Android mobile devices through Mobile Security for Android™. Users may also acquire the mobile security solution via Google Play. Read more about mobile safety tips and tricks in our threat intelligence center for Mobile Safety.
Below is the SHA1 hash related to the threat discussed:
Timeline of posts related to the Hacking Team
|July 5||The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.|
Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.
The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.
|July 11||Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.|
|July 13||Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.|
|July 14||A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.|
|July 16||On the mobile front, a fake news app designed to bypass Google Play was discovered.|
|July 20||A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.|
|July 21||Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.|
|July 28||A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team.|