Connect with us

Hi, what are you looking for?


Malware & Threats

App Found in Google Play Exploits Recent Android Zero-Day

A malicious application in the Google Play store targeted a recently patched zero-day vulnerability that affects multiple Android devices, including Google’s Pixel phones.

A malicious application in the Google Play store targeted a recently patched zero-day vulnerability that affects multiple Android devices, including Google’s Pixel phones.

Tracked as CVE-2019-2215, the vulnerability was disclosed as a zero-day in October by Google Project Zero security researcher Maddie Stone. A use-after-free in the binder driver, the bug could lead to an exploitable crash.

The flaw was initially addressed in December 2017 in the 4.14 Linux kernel, the Android Open Source Project (AOSP) 3.18 kernel, AOSP 4.4 kernel, and AOSP 4.9 kernel. Two years later, it was still impacting Pixel 2; Pixel 1; Huawei P20; Xiaomi Redmi 5A, Redmi Note 5, and A1; Oppo A3; Motorola Moto Z3; LG phones running Android 8 Oreo; and Samsung Galaxy S7, S8 and S9 models.

Google included patches for the flaw in its October 2019 set of Android fixes and a proof-of-concept was published a couple of weeks later.

When first detailing the bug, Stone said that she had received information that an exploit for it existed, and that it was being used by Israeli spyware company NSO, which is known for building the infamous iOS malware Pegasus.

In a November blog detailing the finding, she revealed that the “information included marketing materials for this exploit,” and also said that the exploit was allegedly “used to install a version of Pegasus.”

“[W]e believe that attackers have been able to use this vulnerability to exploit users in the wild. Given the information in various public documents about the services that NSO Group provides, it seems most likely that this vulnerability was chained with either a browser renderer exploit or other remote capability,” she said.

Advertisement. Scroll to continue reading.

Now, Trend Micro reveals that three malicious applications that have been available in Google Play since March 2019 are working together to compromise devices and collect user information, and that one of them exploits CVE-2019-2215. Disguised as photography and file manager tools, the apps appear linked to the SideWinder threat group.

Two of the apps, Camero and FileCrypt Manger, act as droppers. An extra DEX file is fetched from the command and control (C&C) server, then code is used to launch a payload app called callCam.

On Pixel 2, Pixel 2 XL, Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A devices, Camero retrieves a specific exploit from the C&C — the researchers downloaded five exploits from the server — with CVE-2019-2215 and MediaTek-SU abused to achieve root before installing callCam.

FileCrypt Manager, on the other hand, asks the user to enable the accessibility permission, then shows a full screen window claiming that further setup steps are required. The window, however, is meant to hide malicious activity: it installs callCam and enables the accessibility permission for it.

The payload collects data such as location, battery status, files on device, installed app list, device information, sensor information, camera information, account details, Wi-Fi information, screenshots, and data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome. All of this data is encrypted and sent to the C&C server.

Based on the used C&C, the applications appear related to SideWinder, an attack group active since 2012, which is known for the targeting of military entities. Additionally, a URL linking to one of the apps’ Google Play pages was discovered on one of the C&C servers, Trend Micro reveals.

Related: Google Patches Remote Code Execution Bugs in Android 10

Related: Researcher Publishes PoC Exploit for Recent Android Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.