Wednesday, May 21, 2025
Follow us On Linkedin
HomeAndroidHackers Exploit Android Vulnerability to Install Malware Without User Interaction Via Google...

Hackers Exploit Android Vulnerability to Install Malware Without User Interaction Via Google Play

AndroidVulnerability

Published on

By Gurubaran
First Attack Exploits Android Vulnerability CVE-2019-2215 to Install Malware Without User Interaction Via Google Play

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Security researchers from Trend Micro observed three malicious apps on Google Play that aims to compromise victims’ devices and steal information from the SideWinder APT group.

The three apps include “Camero, FileCryptManager & CallCam,” among the three Camero is the one that exploits the use-after-free vulnerability CVE-2019-2215.

SideWinder APT group
Three Malicious Apps

This is the first attack spotted in the wild using exploits CVE-2019-2215 that resides in Binder. By exploiting this vulnerability attackers can download files without user interaction.

- Advertisement - Google News

Malware Deployment

The apps were found to be associated with the SideWinder APT group, the group is active since 2012 and is known for attacking military entities’ Windows machines.

These apps are posted in Google disguised as a Camera and Filemanager app.

Camero – Dropper
FileCryptManager – Dropper
CallCam – Final Payload that steals information

SideWinder deploys the payload in two stages

Stage 1 – Download the DEX file from the attacker’s C&C server.
Stage 2 – Downloaded DEX file downloads an APK that is to be installed after exploiting the device or employing accessibility.

SideWinder APT group
Infection Chain

“All of this is done without user awareness or intervention. To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code,” reads a Trend Micro blog post.

Before dropping the final payload the dropper tries to root the phone or to gain Accessibility Permission on the targeted device.

Final Payload – CallCam

Once launched on the infected device it hides the icon and starts collecting information by running in the background.

It encrypts the stolen data using RSA and AES encryption algorithms and sends’s to the attacker’s C&C server. The following is the information it collects.

  1. Location
  2. Battery status
  3. Files on device
  4. Installed app list
  5. Device information
  6. Sensor information
  7. Camera information
  8. Screenshot
  9. Account
  10. Wifi information
  11. Data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome

All three apps found to be active since March 2019 and they have been removed from Google Play now.

Also, Read

Microsoft Released Final Version of Security Configuration Baseline for Windows 10 and Windows Server

Microsoft Warns about the New Campaign that Delivers FlawedAmmyy RAT via Weaponized MS Excel Documents

Top 3 Categories That Mostly Impact by Cyber Threats & Protection Against Cyber Attack

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Browser

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party...
API

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...
Cyber Attack

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate...
cyber security

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

Cyber Attack

New Scan Uncovers 150K Industrial Systems Worldwide Vulnerable to Cyberattacks

A groundbreaking study leveraging advanced application-layer scanning has exposed approximately 150,000 industrial control systems...
cyber security

PowerDNS Vulnerability Allows Attackers to Trigger DoS Attacks Through Malicious TCP Connections

PowerDNS has released a critical security update to address a vulnerability in its DNSdist...
Cyber Attack

Ivanti EPMM 0-Day RCE Vulnerability Under Active Attack

Critical vulnerability chain in Ivanti’s Endpoint Manager Mobile (EPMM) has been actively exploited.  The vulnerabilities,...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved