Android devices, from Ice Cream version to Jelly Bean were p0wned with RCSAndroid

Android devices, from Ice Cream version to Jelly Bean were p0wned with RCSAndroid RAT, one of the most professionally developed and sophisticated malware.

Since the leak of Hacking Team hack, every day in security area have been inundated with news about some vulnerability, exploit, etc. etc., and still more news are yet to come out.

Today it is time for Android and for a new Remote Access Trojan (RAT) that emerged from the Hacking Team leak.

Trend Micro researchers discovered this new RAT called RCSAndroid and said that is “one of the most professionally developed and sophisticated” piece of malware that they have seen for Android, until the moment.

This RAT it is so evolved and difficult to take out, that compromised phones can’t be cleaned without root privileges, and Trend Micro advises that it would be better for manufacturers to help and re-flash the phones.

RCSAndroid app can do the following:

• Capture screenshots using the “screencap” command and framebuffer direct reading
• Monitor clipboard content
• Collect passwords for Wi-Fi networks and online acco;.unts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn
• Record using the microphone
• Collect SMS, MMS, and Gmail messages
• Record location
• Gather device information
• Capture photos using the front and back cameras
• Collect contacts and decode messages from IM accounts, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.
• Capture real-time voice calls in any network or app by hooking into the “mediaserver” system service

The way the infection starts can vary, but normally start with a SMS or email with a craft URL, “The URL will trigger exploits for arbitrary memory read (CVE-2012-2825) and heap buffer overflow (CVE-2012-2871) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean, allowing another local privilege escalation exploit to execute. When root privilege is gained, a shell backdoor and malicious RCSAndroid agent APK file will be installed”

Once RCSAndroid it is installed, it starts working like a cluster bomb, deploying multiple and dangerous exploits, using many techniques to infect the devices. When the code was analyzed Tread Micro found:

1. penetration solutions, ways to get inside the device, either via SMS/email or a legitimate app
2. low-level native code, advanced exploits and spy tools beyond the Android’s security framework
3. high-level Java agent – the app’s malicious APK
4. command-and-control (C&C) servers, used to remotely send/receive malicious commands

To avoid this type of malware, you should follow some best practices likes:

• Disable app installations from unknown, third-party sources.
• Constantly update your Android devices to the latest version to help prevent exploits, especially in the case of RCSAndroid which can affect only up to version 4.4.4 KitKat. Note, however, that based on the leak mail from a customer inquiry, Hacking Team was in the process of developing exploits for Android 5.0 Lollipop.
• Install a mobile security solution to secure your device from threats.

It would be important they understand how much this RAT was deployed since it affects Android between Ice Cream and Jelly Bean, and from a recovered emails from the leak, we learned that they were preparing a new version for Android 5.0 Lollipop.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs – Hacking Team, RCSAndroid)