A malicious code exploited a newly fixed zero-day flaw in the Google Play store that affects multiple Android devices, including Pixel phones from Google.
Tracked as CVE-2019-2215, Google Project Zero security researcher Maddie Stone announced the bug as a zero-day in October. The error could contribute to an exploitable accident, a use-free in the binder engine.
In the 4.14 Linux kernel, the Android Open Source Project (AOSP) 3.18 kernel, AOSP 4.4 kernel, and AOSP 4.9 kernel, the bug was first fixed in December 2017. Two years later, Pixel 2 still had an impact; Pixel 1; Huawei P20; Xiaomi Redmi 5A, Redmi Note 5, and A1; Oppo A3; Motorola Moto Z3; Android 8 Oreo LG phones; and Samsung Galaxy S7, S8, and S9 versions.
In its October 2019 set of Android fixes, Google included patches for the flaw and a proof-of-concept was released a few weeks later.
Once Stone first identified the flaw, she said she had received information that there was an exploit for it, and that it was being used by NSO, an Israeli spyware company known to develop the notorious Pegasus iOS malware.
She disclosed in a November blog outlining the discovery that the “details contained marketing materials for this exploit,” and also said the exploit was reportedly “used to update a beta of Pegasus.””[ W]e suspect attackers could use this flaw to target wild users. Given the information on the facilities NSO Group offers in various public records, it is more probable that this bug has been clustered with either an attack client renderer or other remote capability, “she added.
Today, Trend Micro reports that three malicious apps that have been released in Google Play since March 2019 are operating together to hack smartphones and capture user information, and one of them is taking advantage of CVE-2019-2215. Disguised as resources for photography and file manager, the applications tend to be connected to the danger community SideWinder.
Two of the applications serve as droppers, Camero and FileCrypt Manger. The additional DEX file will be downloaded from the C&C registry, instead code will be used to start a payload app called callCam.
On Pixel 2, Pixel 2 XL, Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A smartphones, Camero recovers a different vulnerability from the C&C— the researchers downloaded five exploits from the repository— with CVE-2019-2215 and MediaTek-SU being exploited to gain root prior to callCam deployment.
On the other side, FileCrypt Manager asks the user to allow accessibility permission and then presents a full screen window stating additional configuration steps are needed. Nonetheless, the window is meant to conceal malicious activity: it installs callCam and enables it to be allowed to access.
The payload collects data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome, such as position, battery level, system settings, enabled software list, device information, sensor information, camera information, account details, Wi-Fi information, screenshots, and results. All these data are encrypted and sent to the server of the C&C.
The applications appear to be related to SideWinder, an attack group that has been active since 2012, known for targeting military entities, based on the C&C used. In addition, on one of the C&C servers, a URL link to one of the Google Play pages of the apps was discovered, Trend Micro reveals.