“These apps have been active since March 2019”
Trend Micro researchers say they have found three malicious apps on Play Store targeting a severe Android kernel vulnerability.
The applications, disguised as photography tools, are the first active attacks identified in the wild that make use of CVE-2019-2215, a vulnerability in Binder — an interprocess communication mechanism in the mobile operating system — first publicly reported by Project Zero’s Maddie Stone in October 2019.
Trend Micro attributes the trio of malicious applications — since pulled down by Google — to the “SideWinder” threat actor group’s arsenal. (SideWinder has previously been identified by Kaspersky as targeting Pakistani military infrastructure.)
And their certificate information suggests that they were tapping the vulnerability for some seven months before Google’s write-up.
Google’s Threat Analysis Group (TAG) and others in October attributed the then-zero day to Israeli cyber intelligence firm NSO Group, which gained notoriety in May for a Whatsapp exploit. Unusually for Android (a sprawling ecosystem of vendors, configurations and hardware/software variations that often results in exploits being limited to a subset of devices) the exploit requires “little or no per-device customization”, they noted in a detailed write-up at the time.
In a blog post today, Trend Micro’s Ecular Xu and Joseph C Chen said: “The three malicious apps were disguised as photography and file manager tools. We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps. The apps have since been removed from Google Play.”
The two posted a detailed write-up, including a description of how the payload app was installed: “It first downloads a DEX file (an Android file format) from its command and control (C&C) server… the downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility.
“To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code. The apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the callCam app on the device.
The malware then retrieves a specific exploit from the C&C server depending on the DEX downloaded by the dropper.
They added: “We were able to download five exploits from the C&C server during our investigation. They use the vulnerabilities CVE-2019-2215 and MediaTek-SU to get root privilege.”
The applications then funnel data back to C&C servers, including:
- WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome messages.
- Files on device
- Camera information
- Account information
- Wifi information
(The apps encrypted all stolen data using RSA and AES encryption algorithms.)
The two researchers linked it to the SideWinder APT, “as the C&C servers it uses are suspected to be part of SideWinder’s infrastructure. In addition, a URL linking to one of the apps’ Google Play pages is also found on one of the C&C servers, which include ms-ethics.net; deb-cn.net; ap1-acl.net; ms-db.net; aws-check.net; reawk.net.
The applications are a stark reminder of the challenge Google faces in filtering out malicious applications on Play Store, despite sophisticated efforts to do so, including the the 2017 launch of [default security suite] Google Play Protect.
See also: Critics Hit Out at Cisco After Security Researcher Finds 120+ Vulnerabilities in a Single Product