This blog post will go over some of the modules for Hacking Team’s Android Malware. This will not be comprehensive, but will be a basic overview of what functionality is in Hacking Team’s malware. Also, if you have any suggestions, or anything to point out, please leave a comment. I’m still learning, and could use any assistance possible in learning how to get better at this.

First things first, this will primarily be covering the code in core-android/RCSAndroid/src/com/android/dvci/module/chat. This post is limited to that so I can focus on those modules without this getting way too long.

Judging by the folder name, dvci, combined with that Da Vinci is the Hacking Team’s malware, it’s safe to guess this is the code for Da Vinci modules on Android. First let’s look at what is in the directory:

As you can see, there are modules for BlackBerry Messenger, Facebook, Google Talk/Hangouts, Line, Skype, Telegram, Viber, WeChat, and Whatsapp. It also appears to be able to get/assign chat groups. Wickr was also discussed as to be added in Hacking Team emails. I also noticed a lack of anything for Silent Circle, Chatsecure, Textsecure, Kik, and Snapchat, but let’s focus on what’s currently here. I should also note that the commit in the Git repo on Github is Dec 16, 2014, so there is a very real possibility they changed or added functionality, especially after the leak.

Side note, Textsecure traditionally handled messaging over SMS/MMS, I don’t know enough about the internals, however it’s possible that texts could be intercepted using the standard SMS/MMS intercept code that’s in this malware, as I have personally seen text messages duplicated between Textsecure and other apps on one of my devices in the past.