How Hacking Team sneaked malware into the Google Play store

Trend Micro: Hacking Team used 'BeNews' app that circumvented Google Play security to spread malware on Android

Hacking Team, the Italian company that sold malware and surveillance tools to governments worldwide, used a a tool to circumvent the security of Google's Play store in order to propogate Android malware.

The claim has been made by security software company Trend Micro following an analysis of some of the code dumped on the internet following the attack on Hacking Team two weeks ago.

"We analysed the recent Hacking Team dump and found a sample of a fake news app that appears to be designed to circumvent filtering in Google Play... The fake news app was downloaded up to 50 times before it was removed from Google Play on July 7.

"The 'BeNews' app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. We found the backdoor's source code in the leak, including a document that teaches customers how to use it. Based on these, we believe that the Hacking Team provided the app to customers to be used as a lure to download RCSAndroid malware on a target's Android device," claims Trend Micro in a blog posting.

The app, according to Trend Micro, contains the Androidos_htbewnews.A backdoor, which is effective against Android from versions 2.2 Froyo to 4.4.4 KitKat. "It exploits CVE-2014-3153 local privilege escalation vulnerability in Android devices. This flaw was previously used by the root exploit tool TowelRoot to bypass device security, open it for malware download, and allow access to remote attackers."

"Looking into the app's routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology.

"Initially, it only asks for three permissions and can be deemed safe by Google's security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once the victim starts using it.

"We also found the source code of the backdoor and its server among the Hacking Team dump. The document labeled "core-android-market-master.zip" includes detailed instructions on how customers can manipulate the backdoor as well as a ready-made Google Play account they can use," claims Trend Micro.