Discovery app capable, via a vulnerability of the operating system to bypass security checks of Play Store and install malware on the Android device.
Security researchers from Trend Labs (Trend Micro) have identified a small deception hidden in an example of a fake news application for Android created by Hacking Team. These discussions may have been used to circumvent the security controls of the Google Play store to infiltrate a spyware in an Android device.
Although the application has been downloaded just about fifty times, the technique could have been used in other Android app developed by Hacking Team for its customers and could now be copied by other criminals who want to introduce malware in Android devices.
The app, called ” BeNews ” is a kind of Trojan horse to infiltrate malware RCSAndroid of Hacking Team: the name used is that of a news site now deceased, so that might be mistaken for a legitimate application Android. The source code of the app has been found in the files stolen by Hacking Team, along with documentation explaining to customers how to use it. It possible that Hacking Team has sold this application to customers and that they have it used as bait to download the malware RCSAndroid on the device of a victim.
The app uses a privilege escalation vulnerability in Android that affects all versions of Android 2.2 ” Froyo ” to Android 4.4.4 ” KitKat “ and was recorded last summer. The code can exploit the flaw appears to be not included in the original code of the app BeNews. Once downloaded and started by the user, but the app is able to dynamically load additional code, including the one that takes advantage of the vulnerability, and thus becomes able to climb the permission and install RCSAndroid.
Although the threat posed by this app not seem to be particularly severe (requires physical access to the phone of the victim, or the use of social engineering techniques to get the user to install the app), it should be remembered the code and documentation associated with it are now in the public domain and may be used to create other malicious app that can circumvent controls for Google Play Store.