3 Android apps linked to SideWinder found in Play Store; video shows payload deployment

Researchers found first active attack exploiting CVE-2019-2215 on Play Store linked to SideWinder APT group

In recent times almost every week smartphone users are receiving warnings related to the availability of malware apps on market places. Recently, researchers found at least three malicious apps with device-hijacking exploits that have made its way to Google Play Store successfully.

The experts at Trend Micro revealed that these applications in Play Store work together to compromise a victim's device and collect user information. They also found that this is the first known active attack in the wild that uses the use-after-free vulnerability and these apps are capable of running further malware from a command-and-control server.

The malware apps in Play Store

Ecular Xu and Joseph Chen, the researchers at Trend Micro reported on Monday, January 6 that there are three malicious apps, disguised as photography and file manager tools. In addition, the experts claimed that as per their speculation these apps have been active mode since March 2019 "based on the certificate information on one of the apps. The apps have since been removed from Google Play."

Malicious apps
Malicious apps Trend Micro

If you still have these malicious apps in your device, you should delete them immediately.

  • Camero
  • FileCrypt
  • callCam

The malware operation

While all these apps are likely to be part of the SideWinder threat actor group's arsenal, as per the experts one of these apps, Camero, is capable of exploiting CVE-2019-2215, which is a vulnerability that exists in Binder. It should be noted that the group SideWinder has been active since 2012 and it has reportedly targeted military entities' Windows machines. However, it is not clear how many times these apps had been installed.

SideWinder installs the payload app via two steps which includes the download of DEX file from its command and control server. Experts said they found the group employs Apps Conversion Tracking to configure the C&C server address, which was encoded by Base64 then set to referrer parameter in the URL used to distribute the malware.

The later step includes the download and the installation of an APK file after exploiting the device or employing accessibility. As per the experts, all these are done without a victim's knowledge and to hide from the detection it uses techniques such as obfuscation, data encryption, and invoking dynamic code.

Apps become dropper

Two of these malicious apps Camero and FileCrypt Manger act as droppers. After the download of an extra DEX file, the second-layer droppers invoke extra code to download, then install and finally launch the callCam app on the device.

However, to deploy the payload app callCam on the victim's device without a user's awareness the SideWinder follows three steps which are- device rooting and using the accessibility permission. Soon after the completion of the second step the app shows a full-screen window that says that it requires further setup steps which is an overlay screen that displays on top of all activity windows on the device.

As per the findings meanwhile, the app invokes code from "extra DEX file to enable the installation of unknown apps and the installation of the payload app callCam. It also enables the payload app's accessibility permission and then launches the payload app. All of this happens behind the overlay screen, unbeknownst to the user. And, all these steps are performed by employing Accessibility."

Check out this video which will help you to understand the payload deployment via CVE-2019-2215 on Pixel 2.