Android has been a target of malware and malevolent software almost since its beginnings, but a recent breach of well-known spyware provider “Hacking Team” is now offering a very deep look into the rabbit hole. Security specialists at Trend Micro managed to tear apart and analyze the now published code of Remote Control System Android (RCSAndroid), a spying tool developed and commercially offered by the Hacking Team. Originally sold as a tool to monitor targets, researchers have known about this tool as early as 2014, but only now the full potential has been identified and made publicly known. A closer look at the code obviously showed that the software allows for almost complete control over infected devices, like e.g. capturing screenshots, monitoring clipboard content, collecting passwords from accounts as well as Wi-Fi settings, recording with the devices microphone and cameras, collect messages from any services and apps, and even capture real-time voice calls.
All in all this sounds like any three-letter-agency’s dream, which might actually be more real than anybody could like, since there are documents suggesting that the FBI was one of the many customers paying for services and development of a remote control tool by Hacking Team. Additionally references to FBI-related software have been found in other code published through the recent leak, which emphasizes a possible collaboration.
Where it gets really scary, is that traces of the tool being utilized as early as 2012 have been found, which would mean that unsuspecting users might have been tracked and monitored for the last three years already. RCSAndroid was seemingly able to be controlled over a dedicated server, bought from a host service provider, which is no longer available, as well as to accept commands sent by SMS through a number from the Czech Republic. According to also leaked e-mail correspondence various Czech firms seem to be in business with the Hacking Team, including even a major IT partner in the Olympic Games.
As Trend Micro puts it, this “can be considered one of the most professionally developed and sophisticated Android malware” ever. And with the code now having leaked and being available to everyone, cybercriminals have been gifted with a new heavily weaponized resource for monitoring and surveilling possible targets. The software has various ways to install itself by trying several exploits and of course hiding its own traces, which makes it extremely hard to detect and remove. The safest and in most cases only way to get rid of it is to re-flash a device completely. The only potential sign of an infection visible to normal users is “peculiar behavior”, like unexpected reboots, finding unfamiliar apps installed or any kind of messaging apps freezing. In short: Stay alert, and consider installing a security software, as those up to no good might soon be launching their own variant of RCSAndroid at the public.