The recent Hacking Team data breach revealed, among other things, a fake Android app that was reportedly able to circumvent the filtering capabilities in the Google Play Store by using dynamic loading technology. How does this work, and how can users and enterprises detect these malicious apps?
The controversial IT security company Hacking Team recently found out what it's like to be the victim of a cyberattack when hackers announced they were making client files, contracts, financial documents and internal emails available for public download through Hacking Team's own Twitter account. The firm, based in Milan, sells "offensive" intrusion and surveillance tools and services to governments, law enforcement agencies and corporations, and the 400 GB of stolen data reveals a fascinating insight into the world of government and corporate surveillance and espionage.
Within the leaked files are documents explaining how to use Hacking Team's software, as well as source code of some of its applications. Researchers at security software company Trend Micro found a sample of a malicious Android app within the data dump. Masquerading as a news app and using the name BeNews -- the name of a now defunct news site -- the app appears to be legitimate. It contains no exploit code and only requests three permissions when installed. This innocuous disguise enables the fake Android app to pass through Google Play's vetting process. However, once installed the app downloads and executes additional code from the Internet using dynamic loading technology.
Dynamic loading enables an application to only load components as they are specifically requested. It is used to reduce the size of an executable file and improve performance when certain dependent components are not regularly required. In this instance of a fake Android app, this technique has been used to delay the loading of malicious code until the app has passed verification and been installed. It installs Hacking Team's RCSAndroid surveillance program, considered the most sophisticated Android malware yet by security experts. It can capture screenshots, monitor clipboard content, collect passwords, contacts and messages, and record using the phone's microphone. The app exploits a privilege escalation vulnerability, CVE-2014-3153, found in Android 2.2 to 4.4.4 to bypass device security and allow access to remote attackers.
The fake BeNews app was downloaded up to 50 times before it was removed from Google Play but now that the source code for this and other Hacking Team's software has been made public, cybercriminals will certainly use it to add new or improved capabilities to their own attack tools. On the plus side, the leaked data contains a lot of information that security researchers can use to investigate additional vulnerabilities that have never been disclosed or patched. Hacking Team correspondence also suggests that sandboxing is proving effective in frustrating hackers' attempts to develop exploits that can successfully compromise a device. Hopefully this will encourage further development and greater use of this mitigation technology by vendors.
Enterprises should monitor security newsfeeds to stay abreast of the fast moving world of mobile security and ensure mobile devices connecting to the network are patched and up to date. There are a variety of mobile protection suites available that provide additional protection from malicious apps that try to bypass app stores and OS security measures including Trend Micro's Mobile Security for Android, ESET Mobile Security for Android and McAfee Mobile Security, all of which are available as enterprise versions.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Learn more about the balancing act between mobile security and privacy
Find out if facial recognition authentication can improve mobile security
Check out this video on overcoming common mobile app vulnerabilities
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.