It seems like as the sun rises each morning, we have new news about capabilities Hacking Team was leveraging in their exploit and vulnerability arsenal. Today we learn the Hacking Team has likely created the most sophisticated piece of Android malware ever exposed:
After having revealed one of the ways that the company used to deliver its spyware on Android devices (fake app hosted on Google Play), Trend Micro researchers have analyzed the code of the actual spyware: RCS Android (Remote Control System Android).
Unsurprisingly, it can do so many things and spy on so many levels that they consider it the most sophisticated Android malware ever exposed.
The spyware is delivered either via the aforementioned app, or via an SMS or email that contain a specially crafted URL that will trigger exploits for several vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean.
This will allow the attacker to gain root privilege, and allow the installation of a shell backdoor and RCS Android.
The RCS Android has two core modules: the Evidence Collector and the Event Action Trigger.
The former is responsible for the spying routines: gathering device information, capturing screenshots and photos, recording speech by using the devices’ microphone, capturing voice calls, recording location, capturing Wi-Fi and online account passwords, collecting contacts and decoding messages from IM accounts, as well as collecting SMS, MMS, and Gmail messages.
The latter is in charge of triggering malicious actions based on certain events (e.g. screen turning on, or SMS received with keywords). It can sync configuration data, upgrade modules, and download new payloads; upload the above mentioned collected data to the C&C server, and purge it from the device; execute shell commands; disable the network, root access; reset the device’s locking password; uninstall the bot.
“To avoid detection and removal of the agent app in the device memory, the RCSAndroid suite also detects emulators or sandboxes, obfuscates code using DexGuard, uses ELF string obfuscator, and adjusts the OOM (out-of-memory) value,” the researchers shared.
“Interestingly, one unused feature of the app is its ability to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon.”
After learning the Hacking Team is not the most sophisticated group around even though they have some very advanced tools in their arsenal, imagine all the malware out there in the wild we do not yet know about and how complex it may be.
You don’t know what you don’t know seems somehow apropos.