Hacking Team had RATted on Android: Trend Micro
Android had been p0wned from Ice Creams to Jelly Beans
The next piece of weaponised malware to emerge out of the Hacking Team leak has arrived: a Remote Access Trojan (RAT) for Android.
Trend Micro researchers trawling the 400 GB of leaked files apparently have the honour of first discovery: RCSAndroid, it says, is “one of the most professionally developed and sophisticated” pieces of Android malware* they've seen.
Compromised phones can't be cleaned without root privilege, and Trend says users would probably need their device manufacturer's help to get the phone re-flashed.
If you've got any Android between Ice Cream and Jelly Bean, get rid of it, because that's the version on which Hacking Team had finished work. The analysis notes that “based on the leak mail from a customer inquiry, Hacking Team was in the process of developing exploits for Android 5.0 Lollipop.”
RCSAndroid capabilities include screen capture; clipboard monitoring; Wi-Fi password collection (including grabbing passwords sent over Wi-Fi for applications like Skype, Facebook, Twitter and so on); recording from the microphone; message collection; location collection; use the front and back cameras; and contact collection (again from a variety of services).
Wiretap wasn't forgotten. RCSAndroid, Trend Micro says, also has a hook into the mediaserver system service to get voice calls in real time.
Trend writes that the config file suggests RCSAndroid's been in the wild since 2012, with a now-defunct command and control server in the USA.
The analysis – which also reveals that customers included a “major IT partner in the Olympic Games” – describes four “critical components” of RCSAndroid:
- Penetration – either via SMS or e-mail, or through “legitimate” Android applications;
- The low-level code designed to run exploits and spy tools past Android's security framework;
- The malicious Java agent APK; and
- The C&C servers.
Particularly targeting Android 4.0 Ice Cream to 4.3 Jelly Bean, the malware exploited CVE-2012-2825 and CVE-2012-2871. A message – either SMS or e-mail – containing an attack URL triggering exploits that end with local privilege escalation, allowing the exploit to be installed. ®
*Bootnote: Sorry, Google, we didn't mean “malware”. We meant Potentially Harmful ApplicationTM.