First Attack Exploits Android Vulnerability CVE-2019-2215 to Install Malware Without User Interaction Via Google Play

Security researchers from Trend Micro observed three malicious apps on Google play that aims to compromise victim’s devices and to steal information.

The three apps include “Camero, FileCryptManager & CallCam,” among the three Camero is the one exploits use-after-free vulnerability CVE-2019-2215.

SideWinder APT group
Three Malicious Apps

This is the first attack spotted in wild using exploits CVE-2019-2215 that resides in Binder. By exploiting this vulnerability attackers can download files without user interaction.

Malware Deployment

The apps found to be associated with the SideWinder APT group, the group is active since 2012 and known for attacking military entities’ Windows machines.

These apps are posted in Google disguising as a Camera and Filemanager app.

Camero – Dropper
FileCryptManager – Dropper
CallCam – Final Payload that steals information

SideWinder deploys the payload in two stages

Stage 1 – Downloads the DEX file from the attacker’s C&C server.
Stage 2 – Downloaded DEX file downloads an APK that to be installed after exploiting the device or employing accessibility.

SideWinder APT group
Infection Chain

“All of this is done without user awareness or intervention. To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code,” reads Trend Micro blog post.

Before dropping the final payload the droppers tries to root the phone or to gain Accessibility Permission on the targeted device.

Final Payload – CallCam

Once launched on the infected device it hides the icon and starts collecting information by running in the background.

It encrypts the stolen data using RSA and AES encryption algorithms and sends’s to the attacker’s C&C server. The following is the information it collects.

  1. Location
  2. Battery status
  3. Files on device
  4. Installed app list
  5. Device information
  6. Sensor information
  7. Camera information
  8. Screenshot
  9. Account
  10. Wifi information
  11. Data of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome

All three apps found to be active since March 2019 and they have been removed from Google Play now.

Leave a Reply