Hacking Team used fake app hosted on Google Play to install its spyware on Android devices

“The massive Hacking Team data leak includes the source code of a fake Android news app and instructions on how to use it, Trend Micro researchers have found.

The app, dubbed BeNews after a now-defunct news site, was made available from Google Play, and it was downloaded 50 or less times until it was removed.

“We believe that the Hacking Team provided the app to customers to be used as a lure to download RCS Android malware on a targets Android device,” mobile threat response engineer Wish Wu pointed out.

Once the app was installed by the victims and they started using it, it would exploit a local privilege escalation vulnerability (CVE-2014-3153) affecting Android versions from 2.2 Froyo to 4.4.4 KitKat (possibly others as well), and download and execute malicious code.

“Looking into the apps routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology,” Wu shared.

“Initially, it only asks for three permissions and can be deemed safe by Googles security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet.”

So, the leak does not contain the exploit code, but the app’s source code can now be analyzed by malicious app makers, and the Google Play security bypassing techniques implemented in their future offerings. The fact that they app also comes with instructions is an added bonus to malicious actors.”