A malicious application in the Google Play store targeted a recently patched zero-day vulnerability that affects multiple Android devices, including Google’s Pixel phones.
Tracked as CVE-2019-2215, the vulnerability was disclosed as a zero-day in October by Google Project Zero security researcher Maddie Stone. A use-after-free in the binder driver, the bug could lead to an exploitable crash.
The flaw was initially addressed in December 2017 in the 4.14 Linux kernel, the Android Open Source Project (AOSP) 3.18 kernel, AOSP 4.4 kernel, and AOSP 4.9 kernel. Two years later, it was still impacting Pixel 2; Pixel 1; Huawei P20; Xiaomi Redmi 5A, Redmi Note 5, and A1; Oppo A3; Motorola Moto Z3; LG phones running Android 8 Oreo; and Samsung Galaxy S7, S8 and S9 models.
Google included patches for the flaw in its October 2019 set of Android fixes and a proof-of-concept was published a couple of weeks later.
When first detailing the bug, Stone said that she had received information that an exploit for it existed, and that it was being used by Israeli spyware company NSO, which is known for building the infamous iOS malware Pegasus.
In a November blog detailing the finding, she revealed that the “information included marketing materials for this exploit,” and also said that the exploit was allegedly “used to install a version of Pegasus.”
“[W]e believe that attackers have been able to use this vulnerability to exploit users in the wild. Given the information in various public documents about the services that NSO Group provides, it seems most likely that this vulnerability was chained with either a browser renderer exploit or other remote capability,” she said.
Now, Trend Micro reveals that three malicious applications that have been available in Google Play since March 2019 are working together to compromise devices and collect user information, and that one of them exploits CVE-2019-2215. Disguised as photography and file manager tools, the apps appear linked to the SideWinder threat group.
Two of the apps, Camero and FileCrypt Manger, act as droppers. An extra DEX file is fetched from the command and control (C&C) server, then code is used to launch a payload app called callCam.
On Pixel 2, Pixel 2 XL, Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A devices, Camero retrieves a specific exploit from the C&C — the researchers downloaded five exploits from the server — with CVE-2019-2215 and MediaTek-SU abused to achieve root before installing callCam.
FileCrypt Manager, on the other hand, asks the user to enable the accessibility permission, then shows a full screen window claiming that further setup steps are required. The window, however, is meant to hide malicious activity: it installs callCam and enables the accessibility permission for it.
The payload collects data such as location, battery status, files on device, installed app list, device information, sensor information, camera information, account details, Wi-Fi information, screenshots, and data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome. All of this data is encrypted and sent to the C&C server.
Based on the used C&C, the applications appear related to SideWinder, an attack group active since 2012, which is known for the targeting of military entities. Additionally, a URL linking to one of the apps’ Google Play pages was discovered on one of the C&C servers, Trend Micro reveals.
Related: Google Patches Remote Code Execution Bugs in Android 10
Related: Researcher Publishes PoC Exploit for Recent Android Zero-Day