Security researchers from Trend Micro observed three malicious apps on Google Play that aims to compromise victims’ devices and steal information from the SideWinder APT group.
The three apps include “Camero, FileCryptManager & CallCam,” among the three Camero is the one that exploits the use-after-free vulnerability CVE-2019-2215.
This is the first attack spotted in the wild using exploits CVE-2019-2215 that resides in Binder. By exploiting this vulnerability attackers can download files without user interaction.
The apps were found to be associated with the SideWinder APT group, the group is active since 2012 and is known for attacking military entities’ Windows machines.
These apps are posted in Google disguised as a Camera and Filemanager app.
Camero – Dropper
FileCryptManager – Dropper
CallCam – Final Payload that steals information
SideWinder deploys the payload in two stages
Stage 1 – Download the DEX file from the attacker’s C&C server.
Stage 2 – Downloaded DEX file downloads an APK that is to be installed after exploiting the device or employing accessibility.
“All of this is done without user awareness or intervention. To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code,” reads a Trend Micro blog post.
Before dropping the final payload the dropper tries to root the phone or to gain Accessibility Permission on the targeted device.
Once launched on the infected device it hides the icon and starts collecting information by running in the background.
It encrypts the stolen data using RSA and AES encryption algorithms and sends’s to the attacker’s C&C server. The following is the information it collects.
All three apps found to be active since March 2019 and they have been removed from Google Play now.
Also, Read
Top 3 Categories That Mostly Impact by Cyber Threats & Protection Against Cyber Attack
A sophisticated cyber campaign orchestrated by the Chinese Advanced Persistent Threat (APT) group, Silver Fox,…
A new wave of cyberattacks attributed to the Ghostwriter Advanced Persistent Threat (APT) group has…
The LCRYX ransomware, a malicious VBScript-based threat, has re-emerged in February 2025 after its initial…
Recent cybersecurity investigations have uncovered a sophisticated technique employed by threat actors to evade detection…
A financial management app named Finance Simplified has been revealed as a malicious tool for…
A recent discovery by cybersecurity researchers has revealed that the Poseidon malware, a macOS-targeting trojan,…