Trend Micro team of researchers has identified three malicious apps available on Google Play Store, exploiting serious Android kernel vulnerability.
The apps identified to be callCam, Camero, and FileCrypt are mainly photography tools related programs, which are using a Binder vulnerability that is already classified as CVE-2019-2215. It is basically, an interprocess communication method in every mobile phone OS that is being exploited.
The vulnerability was first identified by Maddie Stone from Project Zero in October last year. It is a local privilege related issue using which any vulnerable device can be full root compromised. If used in combination with another browser rendering flaw, this vulnerability can be exploited remotely as well.
This user-after-free Android vulnerability, as per Trend Micro researchers, has been in use since March, which is around 7 months before it was reported about as a zero-day vulnerability developed by the NSO Group of Israel. The apps have also been active since the same time according to researchers.
“We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps,” researchers wrote in their detailed article, Trend Micro said in their blog post.
The three apps have been removed from the Play Store and researchers believe that the Indian spy group SideWinder APT is responsible for distributing these apps. It is the same group that Kaspersky Lab believes is targeting Pakistani military infrastructure.
Trend Micro reveals that the Camero and FileCrypt apps are droppers that allow connection to a remote C&C server. These apps are responsible for downloading a DEX file that downloads the callCam app and exploits privilege escalation vulnerability or abuses accessibility feature to install the app.
Once callCam app is installed, it hides the app icon from the menu but keeps working in the background to collect data stored on the device including:
Camera and sensor-related information
Collects data from social networking apps like Twitter, Facebook, and WeChat
WiFi and user account information on Gmail, Yahoo Mail, Outlook, Chrome, and screenshots.
As it happens in a majority of such cases, everything happens without alerting the user. The apps use a variety of techniques to evade detection including “obfuscation, data encryption, and invoking dynamic code.”
Furthermore, to obtain root privilege and to infect a wide range of Android mobile phones, the apps exploit MediaTek-SU driver vulnerability as well.
Demonstration of an attack exploiting CVE-2019-2215
Though the malicious apps are removed from the Play Store there is no guarantee that there aren’t other such apps. Therefore, you need to download apps very carefully. You can check whether your device is infected or not by accessing the Settings menu on your Android phone. Go to Settings> App manager and uninstall the apps if you find them in the displayed list.