7 Things You Need To Know about the Hacking Team’s Leaked Mobile Malware Suite

A lot has happened since the Hacking Team's files got leaked online. Besides the number of new vulnerabilities—mostly affecting Flash Player and IE—that have been discovered, exploited, and patched, source code for the company's tools were also part of the leaked files. One of them was a particularly sophisticated malware suite called RCSAndroid (Remote Control System Android), which was sold by the company as a tool for monitoring targets.

Our researchers believe that this spying tool can be considered as “one of the most professionally developed and sophisticated Android malware ever exposed”.

But what is the RCSAndroid spying tool really capable of? Who is affected? Which devices are vulnerable? Here are some quick facts you need to know about the Hacking Team’s leaked mobile malware suite:

1. It can carry out spying capabilities- including capturing photos using the front and back cameras
   Based on the leaked code to the mobile malware suite, our researchers discovered that the RCSAndroid app can carry out intrusive routines to spy on intended targets. Its capabilities include monitoring the screen and clipboard on Android devices, collecting passwords and contact details for online accounts, as well as using the device’s cameras and microphones.           

2. All Android versions before Lollipop are vulnerable
   If your Android device runs on Froyo, Gingerbread, Ice Cream Sandwich or Jelly Bean, it is most likely vulnerable to RCAndroid’s spying routines. Our research has yet to validate whether the spying tool works on all devices. The aforementioned Android versions account for nearly 82% of all Android devices.

3. Attackers use two methods to get targets to download RCSAndroid
   The first method is to send a specially crafted URL to the target via SMS or email. The second method is to use a stealthy backdoor app which was designed to bypass Google Play.

4. The actual spying tool from the Hacking Team costs a lot, and requires an Annual Maintenance Fee
   The whole suite reportedly costs €234,000, or USD $260,000, per year. The actual spying tool released by the Hacking Team costs a lot, but the leaked code makes the tool more accessible for anyone to use. The fact that RCSAndroid is powerful and readily available makes it all the more dangerous. Cybercriminals can tweak the code however they want, and can use a number of ways to get people to install it on their devices without knowing what they're installing.

5. The RCAAndroid can now be easily used by any Android developer
   The mobile malware suite can be used by any Android developer with the technical know-how. Our in-depth analysis on the malware and how it roots devices for its spying activities is detailed in our blog entry titled “Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In.”

6. The spying tool is difficult to remove and detect from an infected device
   To avoid detection and removal of the agent app in the device memory, the RCSAndroid suite also detects emulators or sandboxes. It is also able to manipulate data in the Android package manager to add and remove permissions and components as well as hide the app icon.

7. Certain malicious actions are triggered by an Event Action module
   On an infected device, the Event Action Trigger module triggers malicious actions based on certain events. These events can be based on time, charging or battery status, location, connectivity, running apps, focused app, SIM card status, SMS received with keywords, and screen turning on.

Trend Micro™ Mobile Security works against the abovementioned RCSAndroid app routines. The mobile security solution has a cloud scan feature that provides Trend Micro researchers with more information on unknown samples to enhance detection.

Trend Micro Mobile Security additionally provides additional security to data and guards Android mobile devices against apps that steal personal information that may leave devices vulnerable to identity theft.

Downloading from the Google Play Store minimizes the risk that third-party app stores bring. Avoid rooting your Android device as it may potentially allow unsigned apps, including malicious ones, access to stored data. This also makes it difficult to patch and update your OS and apps, which could leave your device vulnerable. Updating to the latest Android OS version is also a good security measure.