Security researchers at Trend Micro’s Trend Labs have uncovered a trick in a sample of a fake news application for Android created by the network exploitation tool provider HackingTeam that may have allowed the company’s customers to sneak spyware through the Google Play store’s code review. While the application in question may have only been downloaded fewer than 50 times from Google Play, the technique may have been used in other Android apps developed for Hacking Team customers—and may now be copied by others trying to get malware onto Android devices.
The sample app, called “BeNews”, is designed as a Trojan horse for Hacking Team’s RCSAndroid “backdoor” malware. It used the name of a defunct news site to make it seem like a legitimate Android application. Wish Wu of Trend Labs wrote in a blog post that Trend Labs team found the source code for the app within the leaked Hacking Team files, along with documentation “that teaches customers how to use it,” he wrote. “Based on these, we believe that the Hacking Team provided the app to customers to bus used as a lure to download RCSAndroid malware on a target’s Android device.”
The app exploits a local privilege escalation vulnerability in Android which has been determined to affect all versions of the mobile operating system from Android 2.2 (“Froyo”) to 4.4.4 (“KitKat”). Other versions may be vulnerable as well, according to Wish. The exploit, which also affected other Linux operating systems, was documented last summer.