Hacking Team Finds a Way to Bypass Google Security With Malicious Code
posted Sunday Jul 19, 2015 by Scott Ertz
In the past, we have written about the major security issues of the android platform. The company's "come one, come all" approach to application publishing and incredibly liberal access to data stored on your device by any and all applications created an environment that was very conducive to taking advantage of owners.
There was no way that Google could have let this environment persist. In an attempt to prevent their customers from being taken advantage of, and to prevent the complete collapse of Android, Google implemented a system that checks code of applications as they are submitted to see if they contain code specifically designed to steal data or hijack the device. It has been fairly successful, preventing many scam apps from entering Google Play.
The group at Hacking Team, however, seems to have found a way around Google's checks. A sample app, which was designed to show Hacking Team clients how to implement the workaround, was found by Trend Micro researchers in the Hacking Team files that were released recently. The app, BeNews, uses the name of a legitimate but retired news application, and only asks for 3 traditional, non-issue permissions at installation time. All of this makes the app appear legitimate to both customers and bypass the Google security checks.
After the app is installed, though, it takes advantage of a security hole in Linux to inject additional code from the outside world, which escalates the permissions and installs the group's RCSAndroid backdoor Trojan horse. Android is a flavor of Linux, meaning that any version of Android built upon a Linux kernel that contains this exploit, which was documented a year ago, can be affected by the Trojan. It is known that all versions from Android 2.2 to 4.4.4 are affected, but there could be more.
As of now, it appears that the BeNews app has been downloaded less than 50 times, but there is no telling how many other apps published by Hacking Team clients have included this exploit. The moral of the story is, you can't trust an app from Google Play. Always make sure the app is from official, known authors before downloading.