Google app vulnerability being exploited in the wild: Trend Micro

The
Sidewinder APT group has been actively abusing a Binder vulnerability in at
least three apps found in the Google Play store.

The three
apps, all file manager and photography tools, were uploaded starting in March 2019,
but have since been removed. The apps involved are Camero, FileCrypt and callCam.
The vulnerability effects several Android devices, including Pixel 1 and 2
phones, enabling an attacker to gain root access.

“Upon
further investigation we also found that the three apps are likely to be part
of the SideWinder threat actor group’s arsenal. SideWinder, a group that has
been active since 2012, is a known threat and has reportedly targeted military
entities’ Windows machines,” wrote
Trend Micro researchers Ecular Xu and Joseph Chen.

The flaw,
CVE-2019-2215, is a use-after-free in binder.c that can allow an elevation of
privilege from an application to the Linux Kernel. It does require either the
installation of a malicious local application or a separate vulnerability in a
network facing application.

Once the
malicious app is on the device the download procedure begins. The first of two
stages sees a DEX file being downloaded from the command and control server which
in turn downloads an APK file. These actions take place outside the view of the
device owner.

The command
and control server contains several exploits based on CVE-2019-2215 and the
rooting tool MediaTek-SU to gain root access on the device. Once root access is
gained the app callCam is installed to give the attacker access to the device.

At this
point the device owner is brought back into the attack when the malware asks
for additional steps to be taken to complete the apps setup. What is really happening
is the owner is viewing an overlay screen that is displayed on top of all
activity windows on the device.

“The overlay
window sets its attributions to FLAG_NOT_FOCUSABLE and FLAG_NOT_TOUCHABLE,
allowing the activity windows to detect and receive the users’ touch events
through the overlay screen,” the researchers said.

CallCam’s
capabilities are then used to gain access to the following information:

• Location
• Battery
  status
• Files
  on device
• Installed
  app list
• Device
  information
• Sensor
  information
• Camera
  information
• Screenshot
• Account
• Wifi
  information
• Data
  of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome

The stolen
data is encrypted for transmission the C2 server.

The post Google app vulnerability being exploited in the wild: Trend Micro appeared first on SC Media.