Hacking Team had developed an Android app that could dynamically execute malware payloads, and appeared within Google's Play store as an innocuous news app, Trend Micro has said.
The app, BeNews, only requested three permissions from a user when installed, and was able to avoid Google's automated app checks as no exploit was contained within its code, the security firm said.
"The fake news app was downloaded up to 50 times before it was removed from Google Play on July 7," Trend Micro said. "Looking into the app's routines, we believe the app can circumvent Google Play restrictions by using dynamic loading technology."
"Dynamic loading technology allows the app to download and execute a partial of code from the internet. It will not load the code while Google is verifying the app but will later push the code once the victim starts using it."
Trend Micro said that Hacking Team had developed instructions for its customers to take advantage of the app, and a Google Play account that they could use. The app uses a privilege escalation bug, CVE-2014-3153, found in Android 2.2 to 4.4.4.
It has been a week since 400GB of corporate data made its way out of Hacking Team and appeared online. Since that time, Adobe has patched two Flash exploits that have become known as a result of the hack, as well as Trend Micro finding a UEFI BIOS rootkit that was designed to keep Hacking Team's Remote Control System agent installed on a targets' system, even if they formatted or changed a hard drive.
In an interview earlier this week, CEO of Hacking Team David Vincenzetti said his company was misunderstood and were the good guys.
"The lawful surveillance system that Hacking Team has provided to law enforcement for more than a decade is critical to the work of preventing and investigating crime and terrorism," Vincenzetti said in a statement.
"No other company has ever produced a lawful surveillance capability nearly as comprehensive, as easy to use, or as powerful as ours."