The recent Hacking Team data breach revealed, among other things, a fake Android app that was reportedly able to...
circumvent the filtering capabilities in the Google Play Store by using dynamic loading technology. How does this work, and how can users and enterprises detect these malicious apps?
The controversial IT security company Hacking Team recently found out what it's like to be the victim of a cyberattack when hackers announced they were making client files, contracts, financial documents and internal emails available for public download through Hacking Team's own Twitter account. The firm, based in Milan, sells "offensive" intrusion and surveillance tools and services to governments, law enforcement agencies and corporations, and the 400 GB of stolen data reveals a fascinating insight into the world of government and corporate surveillance and espionage.
Within the leaked files are documents explaining how to use Hacking Team's software, as well as source code of some of its applications. Researchers at security software company Trend Micro found a sample of a malicious Android app within the data dump. Masquerading as a news app and using the name BeNews -- the name of a now defunct news site -- the app appears to be legitimate. It contains no exploit code and only requests three permissions when installed. This innocuous disguise enables the fake Android app to pass through Google Play's vetting process. However, once installed the app downloads and executes additional code from the Internet using dynamic loading technology.
Dynamic loading enables an application to only load components as they are specifically requested. It is used to reduce the size of an executable file and improve performance when certain dependent components are not regularly required. In this instance of a fake Android app, this technique has been used to delay the loading of malicious code until the app has passed verification and been installed. It installs Hacking Team's RCSAndroid surveillance program, considered the most sophisticated Android malware yet by security experts. It can capture screenshots, monitor clipboard content, collect passwords, contacts and messages, and record using the phone's microphone. The app exploits a privilege escalation vulnerability, CVE-2014-3153, found in Android 2.2 to 4.4.4 to bypass device security and allow access to remote attackers.
The fake BeNews app was downloaded up to 50 times before it was removed from Google Play but now that the source code for this and other Hacking Team's software has been made public, cybercriminals will certainly use it to add new or improved capabilities to their own attack tools. On the plus side, the leaked data contains a lot of information that security researchers can use to investigate additional vulnerabilities that have never been disclosed or patched. Hacking Team correspondence also suggests that sandboxing is proving effective in frustrating hackers' attempts to develop exploits that can successfully compromise a device. Hopefully this will encourage further development and greater use of this mitigation technology by vendors.
Enterprises should monitor security newsfeeds to stay abreast of the fast moving world of mobile security and ensure mobile devices connecting to the network are patched and up to date. There are a variety of mobile protection suites available that provide additional protection from malicious apps that try to bypass app stores and OS security measures including Trend Micro's Mobile Security for Android, ESET Mobile Security for Android and McAfee Mobile Security, all of which are available as enterprise versions.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Learn more about the balancing act between mobile security and privacy
Find out if facial recognition authentication can improve mobile security
Check out this video on overcoming common mobile app vulnerabilities
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
A recently discovered Drupal vulnerability in its open source CMS allowed attackers to control websites. Learn how almost one million sites were ... Continue Reading
Google instituted an aggressive ban on all cryptomining extensions for Chrome after cryptojacking attacks started to become more common. Learn how ... Continue Reading
With enterprises testing DNS over HTTPS to encrypt domain name traffic, some fear the potential privacy issues. Discover the challenges and benefits ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.