Hacker Team RCSAndroid Trojan

Hacker Team RCSAndroid Trojan

 

Android device caution: versions 4.0-4.3 can be handled by RCSAndroid.

Remote Control Trojan RCSAndroid on Android is currently one of the most professional and complex malicious programs exposed in Android.

Since Hacking Team information leakage, the security field has been covered by vulnerabilities, exp and other messages every day. Of course, more information is yet to be mined. Now it's finally the turn of Android, but it's a bad news: A New Remote Access Trojan (RAT ).

 

RCSAndroid has ten "super powers"

The new Trojan found by Trend Micro researchers is called RCSAndroid and is one of the "most professional and complex" malware in Android so far.

The remote access trojan is evolved and cannot be cleared when the mobile phone is intruded into the system without the root permission. The best advice is to ask the mobile phone manufacturer for help and clear the phone again.

RCSAndroid can execute the following 10 spyware functions:

· Use the "screencap" command and directly read the screen buffering group content · monitor the clipboard content · collect Wi-Fi networks and various network account passwords, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn. · Use microphone recording · recording text messages, multimedia information and Gmail messages · recording positioning coordinates · collecting device information · taking photos with front and back cameras · collecting contacts in your account and decoding communications, the account includes the mediasever service of Facebook Messenger, WhatsApp, Skype, Viber, Line, Hangouts, Telegram, and blackberry message interception system, which can record voice calls between any phone and App.

This Trojan can infect devices in different ways, but it is usually spread by URL-based messages or emails.

"In default browsers from Android 4.0 to 4.3, this URL will trigger exploitation of arbitrary memory read (CVE-2012-2825) Vulnerabilities and Heap Buffer Overflow (CVE-2012-2871, attackers can then execute another Local Elevation of Privilege. After obtaining the root user, a shell backdoor and RCSAndroid proxy APK file will be installed ."

Research on RCSAndroid code

Once RCSAndroid is installed, it starts to work as diligently as a cluster bomb. When multiple dangerous traps are deployed, it also uses a large number of technical means to infect devices.

Through research code, Trend Micro found that the entire system includes four parts:

1. penetration tool: Enter the device through SMS, email, or normal applications. 2. Low-Level native agent: advanced vulnerability attacks and monitoring tools breaking through the android security architecture 3. Advanced Java proxies: Malicious APK files of applications 4. Command Control (C & C) servers: used to remotely send or receive malicious commands

Security suggestions

To prevent this type of malware, you should follow these steps:

· Refuse to download the application installation package from a third-party channel with unknown sources. · Constantly update your Android device to the latest version to prevent vulnerability exploitation. However, it is worth noting that, according to a customer email leaked by the Hacking Team, the company has been developing a trojan program for Android 5.0. · Install a security application to defend against threats.

The leakage of RCSAndroid has made it a powerful tool for public commercial espionage. It is recommended that you keep abreast of the latest developments and check whether the device is listening. Suspicious phenomena include abnormal system behaviors, such as failure to boot normally, unknown applications on the device, and crash of communication software.