Since the leak of Hacking Team hack, every day in security area have been inundated with news about some vulnerability, exploit, etc. etc., and still more news are yet to come out.
Today it is time for Android and for a new Remote Access Trojan (RAT) that emerged from the Hacking Team leak.
Trend Micro researchers discovered this new RAT called RCSAndroid and said that is “one of the most professionally developed and sophisticated” piece of malware that they have seen for Android, until the moment.
This RAT it is so evolved and difficult to take out, that compromised phones can’t be cleaned without root privileges, and Trend Micro advises that it would be better for manufacturers to help and re-flash the phones.
RCSAndroid app can do the following:
The way the infection starts can vary, but normally start with a SMS or email with a craft URL, “The URL will trigger exploits for arbitrary memory read (CVE-2012-2825) and heap buffer overflow (CVE-2012-2871) vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean, allowing another local privilege escalation exploit to execute. When root privilege is gained, a shell backdoor and malicious RCSAndroid agent APK file will be installed”
Once RCSAndroid it is installed, it starts working like a cluster bomb, deploying multiple and dangerous exploits, using many techniques to infect the devices. When the code was analyzed Tread Micro found:
To avoid this type of malware, you should follow some best practices likes:
It would be important they understand how much this RAT was deployed since it affects Android between Ice Cream and Jelly Bean, and from a recovered emails from the leak, we learned that they were preparing a new version for Android 5.0 Lollipop.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – Hacking Team, RCSAndroid)