View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 6, 2020updated 06 Jul 2022 6:41am

SideWinder Doesn’t Sleep Tonight: APT Attacks New Android Vulnerability via 3 Play Store Apps

"These apps have been active since March 2019"

By CBR Staff Writer

Trend Micro researchers say they have found three malicious apps on Play Store targeting a severe Android kernel vulnerability.

The applications, disguised as photography tools, are the first active attacks identified in the wild that make use of CVE-2019-2215, a vulnerability in Binder — an interprocess communication mechanism in the mobile operating system — first publicly reported by Project Zero’s Maddie Stone in October 2019.

Trend Micro attributes the trio of malicious applications — since pulled down by Google — to the “SideWinder” threat actor group’s arsenal. (SideWinder has previously been identified by Kaspersky as targeting Pakistani military infrastructure.)

And their certificate information suggests that they were tapping the vulnerability for some seven months before Google’s write-up.

Read this: Samsung S8, S9, Pixel, Huawei Phones Vulnerable to Android Zero Day

Google’s Threat Analysis Group (TAG) and others in October attributed the then-zero day to Israeli cyber intelligence firm NSO Group, which gained notoriety in May for a Whatsapp exploit. Unusually for Android (a sprawling ecosystem of vendors, configurations and hardware/software variations that often results in exploits being limited to a subset of devices) the exploit requires “little or no per-device customization”, they noted in a detailed write-up at the time. 

In a blog post today, Trend Micro’s Ecular Xu and Joseph C Chen said: “The three malicious apps were disguised as photography and file manager tools. We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps. The apps have since been removed from Google Play.”

The two posted a detailed write-up, including a description of how the payload app was installed: “It first downloads a DEX file (an Android file format) from its command and control (C&C) server… the downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility.

“To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code. The apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the callCam app on the device.

Content from our partners
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system
How tech leaders can keep energy costs down and meet efficiency goals

The malware then retrieves a specific exploit from the C&C server depending on the DEX downloaded by the dropper.

They added: “We were able to download five exploits from the C&C server during our investigation. They use the vulnerabilities CVE-2019-2215 and MediaTek-SU to get root privilege.”

The applications then funnel data back to C&C servers, including:

  • WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome messages.
  • Location
  • Files on device
  • Camera information
  • Screenshots
  • Account information
  • Wifi information

(The apps encrypted all stolen data using RSA and AES encryption algorithms.)

The two researchers linked it to the SideWinder APT, “as the C&C servers it uses are suspected to be part of SideWinder’s infrastructure. In addition, a URL linking to one of the apps’ Google Play pages is also found on one of the C&C servers, which include ms-ethics.net; deb-cn.net; ap1-acl.net; ms-db.net; aws-check.net; reawk.net.

The applications are a stark reminder of the challenge Google faces in filtering out malicious applications on Play Store, despite sophisticated efforts to do so, including the the 2017 launch of [default security suite] Google Play Protect.

See also: Critics Hit Out at Cisco After Security Researcher Finds 120+ Vulnerabilities in a Single Product

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU