After the recent warning regarding spyware being sold by Italian company Hacking Team which can compromise iOS device, whether jailbroken or not; it was recently found that Google Play also under attack by the same Italian company.
The fake news app was downloaded up to 50 times before it was removed from Google Play on July 7. The “BeNews” app is a backdoor app that uses the name of defunct news site “BeNews” to appear legitimate. Trend Micro found the backdoor’s source code in the leak, including a document that teaches customers how to use it. Based on these, Trend Micro believes that the Hacking Team provided the app to customers to be used as a lure to download RCSAndroid malware on a target’s Android device.
The backdoor, ANDROIDOS_HTBENEWS.A, can affect, but is not limited to, Android versions starting from 2.2 Froyo to 4.4.4 KitKat. Looking into the app’s routines, Trend Micro believes the app can circumvent Google Play restrictions by using dynamic loading technology. Initially, it only asks for three permissions and can be deemed safe by Google’s security standards as there are no exploit codes to be found in the app. However, dynamic loading technology allows the app to download and execute a partial of code from the Internet. It will not load the code while Google is verifying the app but will later push the code once the victim starts using it.
Leaked Code Includes How-To and Google Play Account
Trend Micro also found the source code of the backdoor and its server among the Hacking Team dump. The document labeled “core-android-market-master.zip” includes detailed instructions on how customers can manipulate the backdoor as well as a ready-made Google Play account they can use.
Recommendations
With the proliferation of efforts similar to Hacking Team’s, end users need to stay alert for updates on the security front. This includes the mobile landscape as well. To protect mobile devices from threats that try to bypass built-in Google Play security measures, Trend Micro offers security for Android mobile devices through Mobile Security for Android™. Users may also acquire the mobile security solution via Google Play. Read more about mobile safety tips and tricks in our threat intelligence center for Mobile Safety.