Since the leak of Hacking Team hack, every day in security area have been inundated with news about some vulnerability, exploit, etc. etc., and still more news are yet to come out.
Today it is time for Android and for a new Remote Access Trojan (RAT) that emerged from the Hacking Team leak.
Trend Micro researchers discovered this new RAT called RCSAndroid and said that is “one of the most professionally developed and sophisticated” piece of malware that they have seen for Android, until the moment.
This RAT it is so evolved and difficult to take out, that compromised phones can’t be cleaned without root privileges, and Trend Micro advises that it would be better for manufacturers to help and re-flash the phones.
RCSAndroid app can do the following:
The way the infection starts can vary, but normally start with a SMS or email with a craft URL, “The URL will trigger exploits for arbitrary memory read (CVE-2012-2825) and heap buffer overflow (CVE-2012-2871) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean, allowing another local privilege escalation exploit to execute. When root privilege is gained, a shell backdoor and malicious RCSAndroid agent APK file will be installed”
Once RCSAndroid it is installed, it starts working like a cluster bomb, deploying multiple and dangerous exploits, using many techniques to infect the devices. When the code was analyzed Tread Micro found:
To avoid this type of malware, you should follow some best practices likes:
It would be important they understand how much this RAT was deployed since it affects Android between Ice Cream and Jelly Bean, and from a recovered emails from the leak, we learned that they were preparing a new version for Android 5.0 Lollipop.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – Hacking Team, RCSAndroid)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.