Researchers from cybersecurity firm Trend Micro revealed that they’ve discovered three malicious apps on Google Play, which are designed to compromise victim’s devices and steal information.
The three malicious apps, Camero, FileCryptManager, and CallCam, were masked as photography and file manager tools, according to researchers. It’s also observed that the Camero app exploits use-after-free vulnerability CVE-2019-2215 that exists in Binder, an inter-process communication system in Android. By exploiting the CVE-2019-2215 vulnerability, attackers can inject malicious codes and steal information without user knowledge.
The researchers also found that the three apps likely belong to a hacking group “SideWinder.” It’s believed that the SideWinder group has been active since 2012, and reportedly targeted military entities’ Windows machines.
“We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps. The apps have since been removed from Google Play,” the researchers said.
Malware Distribution
According to researchers, SideWinder group deploys malware payload in two steps:
- It downloads the DEX file from the attacker’s C&C server.
- The downloaded DEX file installs an APK after exploiting the device, while Camero and FileCrypt Manger apps act as droppers.
“After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the callCam app on the device,” the researchers said.
To deploy the callCam app on the device, SideWinder uses techniques like obfuscation, data encryption, and invoking dynamic code to avoid detection.
Once downloaded, the callCam app hides its icon on the device and collects users’ information and sends it to the C&C server. The compromised information includes user location, battery status, files on the device, installed app list, device information, sensor information, camera information, screenshot account, and Wi-Fi information. It also captures data from applications like Twitter, Yahoo Mail, WeChat Facebook, Gmail, and other social media apps.
The three malicious applications were found to be active since March 2019 and they have now been removed from the Google Play store.