by Ecular Xu and Joseph C Chen
We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses the use-after-free vulnerability. Interestingly, upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities’ Windows machines.
The three malicious apps were disguised as photography and file manager tools. We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps. The apps have since been removed from Google Play.
Figure 1. The three apps related to SideWinder group
Figure 2. Certificate information of one of the apps
SideWinder installs the payload app in two stages. It first downloads a DEX file (an Android file format) from its command and control (C&C) server. We found that the group employs Apps Conversion Tracking to configure the C&C server address. The address was encoded by Base64 then set to referrer parameter in the URL used in the distribution of the malware.
Figure 3. Parsed C&C Server address
After this step, the downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility. All of this is done without user awareness or intervention. To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code.
The apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the callCam app on the device.
Figure 4. Two-stage payload deployment
Figure 5. Code showing how the dropper invokes extra DEX code
To deploy the payload app callCam on the device without the user’s awareness, SideWinder does the following:
1. Device Rooting
This approach is done by the dropper app Camero and only works on Google Pixel (Pixel 2, Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A devices. The malware retrieves a specific exploit from the C&C server depending on the DEX downloaded by the dropper.
Figure 6. Code snippet from Extra DEX downloaded by Camero
We were able to download five exploits from the C&C server during our investigation. They use the vulnerabilities CVE-2019-2215 and MediaTek-SU to get root privilege.
Figure 7. CVE-2019-2215 exploit
Figure 8. MediaTek-SU exploit
After acquiring root privilege, the malware installs the app callCam, enables its accessibility permission, and then launches it.
Figure 9. Commands install app, launch app, and enable accessibility
2. Using the Accessibility Permission
This approach is used by the dropper app FileCrypt Manager and works on most typical Android phones above Android 1.6. After its launch, the app asks the user to enable accessibility.
Figure 10. Steps FileCrypt Manager prompts user to do
Once granted, the app shows a full screen window that says that it requires further setup steps. In reality, that is just an overlay screen that is displayed on top of all activity windows on the device. The overlay window sets its attributions to FLAG_NOT_FOCUSABLE and FLAG_NOT_TOUCHABLE, allowing the activity windows to detect and receive the users’ touch events through the overlay screen.
Figure 11. Overlay screen
Meanwhile, the app invokes code from the extra DEX file to enable the installation of unknown apps and the installation of the payload app callCam. It also enables the payload app’s accessibility permission, and then launches the payload app. All of this happens behind the overlay screen, unbeknownst to the user. And, all these steps are performed by employing Accessibility.
Figure 12. Code enabling install of unknown apps and new APK
Figure 13. Code enable accessibility permission of the newly installed app
The video below demonstrates payload deployment via CVE-2019-2215 on Pixel 2:
The app callCam hides its icon on the device after being launched. It collects the following information and sends it back to the C&C server in the background:
- Battery status
- Files on device
- Installed app list
- Device information
- Sensor information
- Camera information
- Wifi information
- Data of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome
The app encrypts all stolen data using RSA and AES encryption algorithms. It uses SHA256 to verify data integrity and customize the encoding routine. When encrypting, it creates a block of data we named headData. This block contains the first 9 bytes of origin data, origin data length, random AES IV, the RSA-encrypted AES encrypt key, and the SHA256 value of AES-encrypted origin data. Then the headData is encoded through the customized routine. After the encoding, it is stored in the head of the final encrypted file followed by the data of the AES-encrypted original data.
Figure 14. Data encryption process
Figure 15. Customized encoding routine done
Relation to SideWinder
These apps may be attributed to SideWinder as the C&C servers it uses are suspected to be part of SideWinder’s infrastructure. In addition, a URL linking to one of the apps’ Google Play pages is also found on one of the C&C servers.
Figure 16. Google Play URL of FileManager app found in one of the C&C servers.
Trend Micro Solutions
Trend Micro solutions such as the Trend Micro™ Mobile Security for Android™ can detect these malicious apps. End users can also benefit from its multilayered security capabilities that secure the device owner’s data and privacy and safeguard them from ransomware, fraudulent websites, and identity theft.
For organizations, the Trend Micro Mobile Security for Enterprise suite provides device, compliance, and application management, data protection, and configuration provisioning. It also protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities.
Updated January 8, 2020 5PM EST with a video showing the exploit of CVE-2019-2215
Indicators of Compromise
|SHA256||Package Name/File type||App Name/Detection Name|
|Package Name/File type||App Name/Detection Name|
MITRE ATT&CK Matrix™