Fake News App in Hacking Team Dump Designed to Bypass Google Play
We analyzed the recent Hacking Team dump and found a sample of a fake news app that appears to be designed to circumvent filtering in Google Play. This is following news that iOS devices are at risk of spyware related to the Hacking Team. The fake news app was downloaded up to 50 times before it was removed from Google Play on July 7.
The “BeNews” app is a backdoor app that uses the name of defunct news site “BeNews” to appear legitimate. We found the backdoor’s source code in the leak, including a document that teaches customers how to use it. Based on these, we believe that the Hacking Team provided the app to customers to be used as a lure to download RCSAndroid malware on a target’s Android device.
The backdoor, ANDROIDOS_HTBENEWS.A, can affect, but is not limited to, Android versions starting from 2.2 Froyo to 4.4.4 KitKat. It exploits CVE-2014-3153 local privilege escalation vulnerability in Android devices. This flaw was previously used by the root exploit tool TowelRoot to bypass device security, open it for malware download, and allow access to remote attackers.
Figure 1. Screenshots of the ‘BeNews” Android app by Hacking Team
Looking into the app’s routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google’s security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once the victim starts using it.
Figure 2. Screenshots of dynamic loading code path src/libbson/bson.cpp
Leaked Code Includes How-To and Google Play Account
We also found the source code of the backdoor and its server among the Hacking Team dump. The document labeled “core-android-market-master.zip” includes detailed instructions on how customers can manipulate the backdoor as well as a ready-made Google Play account they can use.
Figure 3. Document for manipulating BeNews server settings
Figure 4. Document for managing the backdoor in Google Play
With the proliferation of efforts similar to Hacking Team’s, end users need to stay alert for updates on the security front. This includes the mobile landscape as well. To protect mobile devices from threats that try to bypass built-in Google Play security measures, Trend Micro offers security for Android mobile devices through Mobile Security for Android™. Users may also acquire the mobile security solution via Google Play. Read more about mobile safety tips and tricks in our threat intelligence center for Mobile Safety.
Below is the SHA1 hash related to the threat discussed: