ANDROIDOS_RCSAGENT.HRX

 Analysis by: Veo Zhang

 THREAT SUBTYPE:

Information Stealer, Malicious Downloader, Spying Tool, Rooting Tool

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: Yes

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Via app stores, Via email


This is the malicious app revealed to be sold by the Hacking Team to customers in order to compromise targets. Its existence was revealed during the July 2015 data breach of its database. Devices infected by this malware can be considered to have their security compromised.

  TECHNICAL DETAILS

File Size:

109,867 bytes

File Type:

APK

Memory Resident:

Yes

Initial Samples Received Date:

24 Jan 2015

Payload:

Steals information

NOTES:

This malicious Android app is sold to customers to compromise targets. It is identified as coming from the Hacking Team.

Users are lead to this malware via the following:

  • via URL from email or SMS
  • via download in app store such as Google Play

When a user clicks on the URL from the email or SMS, it leads to vulnerabilities that force the browser to execute malicious APK. The malicious APK uses local privilege escalation vulnerability CVE-2013-6282 and CVE-2014-3153 to root the device and install a shell backdoor. The backdoor then installs this malicious app.

When a user downloads and installs a specific app, it uses local privilege escalation vulnerability CVE-2013-6282 and CVE-2014-3153 to root the device and install a shell backdoor. The backdoor then installs this malicious app.

This malicious app has two core modules called Evidence Collector and Event Action Trigger. The Evidence Collector is a spying module. Based on its code, it can monitor the following information:

  • Screen snapshot
  • Clipboard monitor
  • Wifi password
  • system accounts password dump and decoding, including Skype, Facebook, Twitter, Google, Whatsapp, Mail, Linkedin account
  • Microphone recording
  • SMS, MMS, Gmail messages
  • Location
  • Device information.
  • Front and back camera photos
  • Popular chat app messages, contacts dump and decoding including BBM, Facebook, Whatsapp, Skype, Viber, Line, Wechat, Hangouts, Telegram
  • Audio capture by hooking mediaserver system service, to capture real-time voice call by phone or app

The Event Action Trigger monitors various events to trigger malicious actions. The events can be can be time, charging or battery status, location, connectivity, running apps, focused app, sim card status, SMS keyword, and screen on. According to the configuration pattern, these actions are registered to do the following:

  • Sync configuration data, upgrade modules, download new payload
  • Upload and purge collected evidence
  • Destroy device by resetting locking password
  • Execute command shell
  • Send SMS with defined content or location
  • Disable network
  • Disable root
  • Uninstall bot

  SOLUTION

Minimum Scan Engine:

9.750

TMMS Pattern Date:

27 Jul 2015

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android and iOS smartphones and tablets from malicious and Trojanized applications. It blocks access to malicious websites, increase device performance, and protects your mobile data. You may download the Trend Micro Mobile Security apps from the following sites:


Did this description help? Tell us how we did.