Trend Micro researchers say they have found three malicious apps on Play Store targeting a severe Android kernel vulnerability.
The applications, disguised as photography tools, are the first active attacks identified in the wild that make use of CVE-2019-2215, a vulnerability in Binder — an interprocess communication mechanism in the mobile operating system — first publicly reported by Project Zero’s Maddie Stone in October 2019.
Trend Micro attributes the trio of malicious applications — since pulled down by Google — to the “SideWinder” threat actor group’s arsenal. (SideWinder has previously been identified by Kaspersky as targeting Pakistani military infrastructure.)
And their certificate information suggests that they were tapping the vulnerability for some seven months before Google’s write-up.
Google’s Threat Analysis Group (TAG) and others in October attributed the then-zero day to Israeli cyber intelligence firm NSO Group, which gained notoriety in May for a Whatsapp exploit. Unusually for Android (a sprawling ecosystem of vendors, configurations and hardware/software variations that often results in exploits being limited to a subset of devices) the exploit requires “little or no per-device customization”, they noted in a detailed write-up at the time.
In a blog post today, Trend Micro’s Ecular Xu and Joseph C Chen said: “The three malicious apps were disguised as photography and file manager tools. We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps. The apps have since been removed from Google Play.”
The two posted a detailed write-up, including a description of how the payload app was installed: “It first downloads a DEX file (an Android file format) from its command and control (C&C) server… the downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility.
“To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code. The apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the callCam app on the device.
The applications are a stark reminder of the challenge Google faces in filtering out malicious applications on Play Store, despite sophisticated efforts to do so, including the the 2017 launch of [default security suite] Google Play Protect.