SideWinder: Three malicious Android apps were discovered on the Google Play Store that work in concert with each other to compromise victim’s devices and steal user information. This represents the first known instance of the vulnerability CVE-2019-2215 being exploited in the wild. The stolen information includes location, battery status, files on the device, installed app list, device information, sensor information, camera information, screenshots, account data, WiFi information, and the data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome. The first app to catch the attention of researchers was Camero, which exploits CVE-2019-2215—a vulnerability that exists in Binder. Further investigation revealed that Camero was likely only one part of a campaign that is believed to be run by the Advanced Persistent Threat (APT) group SideWinder. SideWinder has been active since 2012 and has reportedly targeted military organizations’ Windows machines. The three apps, which are Camero, FileCrypt Manager, and callCam, have been active since March of 2019, according to the certificate information. All three applications have been removed from the Play Store since they were identified. SideWinder installs the payload app in two stages. It first downloads a DEX file (Dalvik Executable, an Android file format) from its command and control (C&C) server. The DEX file then downloads an APK file and installs it after exploiting the device or employing accessibility. All of this is done without the user’s knowledge. The apps Camero and FileCrypt Manager act as the droppers. After downloading the extra DEX file, the second-layer droppers run commands to download, install, and launch the callCam app on the victim’s device. Depending on which model of device is infected, the apps would download a phone model specific DEX file from the C&C server to root the phone. Devices vulnerable to rooting include Google Pixel (Pixel 2, Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6a devices.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased