Pierluigi Paganini
July 17, 2015
Experts at Trendmicro analyzing package of data stolen from Hacking Team systems discovered a fake news app that was designed to circumvent filtering in Google Play. The malicious app was downloaded only 50 times before being removed from Google Play on July 7.
The app was called “BeNews” and is a backdoor app, that takes advantage of the extinct site “Benews”
“We found the backdoor’s source code in the leak, including a document that teaches customers how to use it. Based on these, we believe that the Hacking Team provided the app to customers to be used as a lure to download RCS Android malware on a target’s Android device.” States the blog post published by TrendMicro.
The backdoor included in the app is called “ANDROIDOS_HTBENEWS.A” and affects android devices from version 2.2 Froyo to 4.4.4 KitKat. The backdoor exploits the CVE-2014-3153 vulnerability, which is a local privilege escalation flaw.
“Looking into the app’s routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google’s security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once the victim starts using it.” Continues the post.
The leaked dump also includes detailed instructions on how the Hacking Team’s clients could manipulate the backdoor:
As usual, the scaring aspect of the story is that many other companies like the Hacking Team with similar abilities are using similar techniques to hack computing systems and mobile devices worldwide. Always pay attention on what you install in your device and use an endpoint product to protect it.
About the Author Elsio Pinto
(Security Affairs – Hacking Team, Android)
