Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 2 CVEs

RCSAndroid

RCSAndroid (Remote Control System Android) is an Android surveillance malware suite associated with Hacking Team. It has reportedly been actively used since 2012 and was publicly documented in 2014 by Citizen Lab in attacks against Android users in Saudi Arabia. Trend Micro described it as a highly sophisticated and professionally developed Android malware family, and the leak of its source code following the Hacking Team breach exposed a commercial surveillance platform that could be repurposed by other actors.

Reported infection vectors include SMS lures directing targets to malicious websites and a fake news application named BeNews that was available on Google Play. The malicious websites exploited CVE-2012-2825 and CVE-2012-2871 in the default Android browser on versions 4.0 through 4.3. The framework combined browser exploits, low-level collection components, a higher-level APK installer, and command-and-control infrastructure. Emails cited in the reporting indicated Hacking Team engineers were developing updates intended to work on Android 5.0, though the content states there was no indication that those source code updates had gone public.

RCSAndroid supports extensive surveillance and collection capabilities. Directly reported functions include collecting SMS, MMS, and Gmail messages; collecting Wi-Fi passwords and online account passwords for services including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn; capturing screenshots; monitoring clipboard contents; recording audio via the microphone; recording device location; gathering device information; capturing photos with the front and back cameras; collecting contacts; decoding messages from Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger; and capturing real-time voice calls in any network or app by hooking the mediaserver system service.

The content notes that removal may be difficult and that infected devices may require firmware reflashing to fully remove the backdoor. Reported possible indicators of compromise include unexpected rebooting, unfamiliar installed applications, and instant messaging applications suddenly freezing.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2012-2825Denial of Service in Google Chrome XSL implementationExploited in the wild

The malicious sites, in turn, exploited known exploits, designated as CVE-2012-2825 and CVE-2012-2871, and are present in the default browsers found in Android versions from 4.0 to 4.3. | RCSAndroid has been actively used since 2012 and has been known to researchers since 2014, when research group Citizen Lab detailed a Hacking Team backdoor used against Android users in Saudi Arabia.

via arstechnicaarstechnica.com
CVE-2012-2871libxml2 XSL transform type cast handling vulnerabilityExploited in the wild

The malicious sites, in turn, exploited known exploits, designated as CVE-2012-2825 and CVE-2012-2871, and are present in the default browsers found in Android versions from 4.0 to 4.3. | RCSAndroid has been actively used since 2012 and has been known to researchers since 2014, when research group Citizen Lab detailed a Hacking Team backdoor used against Android users in Saudi Arabia.

via arstechnicaarstechnica.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Hacking Team

RCSAndroid has been actively used since 2012 and has been known to researchers since 2014, when research group Citizen Lab detailed a Hacking Team backdoor used against Android users in Saudi Arabia.

via arstechnicaarstechnica.com
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1189Drive-by CompromiseEvidence2
TacticInitial Access

The malicious sites, in turn, exploited known exploits, designated as CVE-2012-2825 and CVE-2012-2871, and are present in the default browsers found in Android versions from 4.0 to 4.3.

T1190Exploit Public-Facing ApplicationEvidence2
TacticInitial Access

The malicious sites, in turn, exploited known exploits, designated as CVE-2012-2825 and CVE-2012-2871, and are present in the default browsers found in Android versions from 4.0 to 4.3.

T1566.002Spearphishing LinkEvidence2
TacticInitial Access

The first involved text messages that lured users to booby-trapped websites.

Execution

1 technique
T1204.002Malicious FileEvidence2
TacticExecution

A second infection method was to use a fake news app called "BeNews," which as Ars reported earlier this week was available on the official Google Play Android market.

Stealth

1 technique
T1036MasqueradingEvidence1
TacticStealth

A second infection method was to use a fake news app called "BeNews," which as Ars reported earlier this week was available on the official Google Play Android market.

Credential Access

1 technique
T1555Credentials from Password StoresEvidence3
TacticCredential Access

RCSAndroid can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.

Discovery

1 technique
T1082System Information DiscoveryEvidence1
TacticDiscovery

Gather device information

Collection

5 techniques
T1005Data from Local SystemEvidence1
TacticCollection

AbstractEmu can collect files from or inspect the device’s filesystem. AhRat can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf. DCHSpy has collected files of interest on the device, including WhatsApp files.

T1113Screen CaptureEvidence1
TacticCollection

RCSAndroid includes the ability to: Capture screenshots using the “screencap” command and framebuffer direct reading

T1115Clipboard DataEvidence1
TacticCollection

RCSAndroid includes the ability to: Monitor clipboard content

T1123Audio CaptureEvidence1
TacticCollection

Record using the microphone

T1125Video CaptureEvidence1
TacticCollection

Capture photos using the front and back cameras

Command and Control

1 technique
T1071Application Layer ProtocolEvidence2
TacticCommand and Control

The Android surveillance suite works like a “cluster bomb” that combines multiple attack tools... and a command-and-control server infrastructure infected devices can connect to.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.