SideWinder: Three malicious Android apps were discovered on the Google Play Store that work in concert with each other to compromise victim’s devices and steal user information. This represents the first known instance of the vulnerability CVE-2019-2215 being exploited in the wild. The stolen information includes location, battery status, files on the device, installed app list, device information, sensor information, camera information, screenshots, account data, WiFi information, and the data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome. The first app to catch the attention of researchers was Camero, which exploits CVE-2019-2215—a vulnerability that exists in Binder. Further investigation revealed that Camero was likely only one part of a campaign that is believed to be run by the Advanced Persistent Threat (APT) group SideWinder. SideWinder has been active since 2012 and has reportedly targeted military organizations’ Windows machines. The three apps, which are Camero, FileCrypt Manager, and callCam, have been active since March of 2019, according to the certificate information. All three applications have been removed from the Play Store since they were identified. SideWinder installs the payload app in two stages. It first downloads a DEX file (Dalvik Executable, an Android file format) from its command and control (C&C) server. The DEX file then downloads an APK file and installs it after exploiting the device or employing accessibility. All of this is done without the user’s knowledge. The apps Camero and FileCrypt Manager act as the droppers. After downloading the extra DEX file, the second-layer droppers run commands to download, install, and launch the callCam app on the victim’s device. Depending on which model of device is infected, the apps would download a phone model specific DEX file from the C&C server to root the phone. Devices vulnerable to rooting include Google Pixel (Pixel 2, Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6a devices.
Analyst Notes
This malware abuses the “Accessibility” feature of Android to allow the malicious app to press buttons and change settings on the user’s behalf. In order to gain permission to use Accessibility features, the mobile device user must first allow it. It is wise to be suspicious of any app that asks for Accessibility permissions and deny it because that feature is frequently abused by mobile malware. Multilayered security on mobile devices such as anti-virus and Mobile Device Management can aid in protecting user data and privacy from being compromised in an attack like this. More details and a list of hashes of the malware files can be found at this page: https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/
