by Ecular Xu and Joseph C Chen
We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses the use-after-free vulnerability. Interestingly, upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities’ Windows machines.
The three malicious apps were disguised as photography and file manager tools. We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps. The apps have since been removed from Google Play.
Figure 1. The three apps related to SideWinder group
Figure 2. Certificate information of one of the apps
InstallationSideWinder installs the payload app in two stages. It first downloads a DEX file (an Android file format) from its command and control (C&C) server. We found that the group employs Apps Co ..
Support the originator by clicking the read the rest link below.
