Categories: AndroidVulnerability

Hackers Exploit Android Vulnerability to Install Malware Without User Interaction Via Google Play

Security researchers from Trend Micro observed three malicious apps on Google Play that aims to compromise victims’ devices and steal information from the SideWinder APT group.

The three apps include “Camero, FileCryptManager & CallCam,” among the three Camero is the one that exploits the use-after-free vulnerability CVE-2019-2215.

Three Malicious Apps

This is the first attack spotted in the wild using exploits CVE-2019-2215 that resides in Binder. By exploiting this vulnerability attackers can download files without user interaction.

Malware Deployment

The apps were found to be associated with the SideWinder APT group, the group is active since 2012 and is known for attacking military entities’ Windows machines.

These apps are posted in Google disguised as a Camera and Filemanager app.

Camero – Dropper
FileCryptManager – Dropper
CallCam – Final Payload that steals information

SideWinder deploys the payload in two stages

Stage 1 – Download the DEX file from the attacker’s C&C server.
Stage 2 – Downloaded DEX file downloads an APK that is to be installed after exploiting the device or employing accessibility.

Infection Chain

“All of this is done without user awareness or intervention. To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code,” reads a Trend Micro blog post.

Before dropping the final payload the dropper tries to root the phone or to gain Accessibility Permission on the targeted device.

Final Payload – CallCam

Once launched on the infected device it hides the icon and starts collecting information by running in the background.

It encrypts the stolen data using RSA and AES encryption algorithms and sends’s to the attacker’s C&C server. The following is the information it collects.

  1. Location
  2. Battery status
  3. Files on device
  4. Installed app list
  5. Device information
  6. Sensor information
  7. Camera information
  8. Screenshot
  9. Account
  10. Wifi information
  11. Data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome

All three apps found to be active since March 2019 and they have been removed from Google Play now.

Also, Read

Microsoft Released Final Version of Security Configuration Baseline for Windows 10 and Windows Server

Microsoft Warns about the New Campaign that Delivers FlawedAmmyy RAT via Weaponized MS Excel Documents

Top 3 Categories That Mostly Impact by Cyber Threats & Protection Against Cyber Attack

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

19 hours ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

22 hours ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

22 hours ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

22 hours ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

22 hours ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

22 hours ago