[Trend Micro](https://www.trendmicro.com/) [About TrendLabs Security Intelligence Blog](https://blog.trendmicro.com/trendlabs-security-intelligence/about-us/) Search: Go to… [Home](http://blog.trendmicro.com/trendlabs-security-intelligence/) Categories [Home » Exploits » First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to](https://blog.trendmicro.com/trendlabs-security-intelligence/) SideWinder APT Group # First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group [Posted on:January 6, 2020 at 5:00 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2020/01/) [Posted in:Exploits, Mobile](https://blog.trendmicro.com/trendlabs-security-intelligence/category/exploits/) Author: [Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/) 0 Go to… **by Ecular Xu and Joseph C Chen** **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information. One of these apps, called Camero, exploits [CVE-2019-2215, a vulnerability that](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215) exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses the [use-after-free vulnerability. Interestingly, upon further investigation we also](https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html) found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a START ----- Windows machines. The three malicious apps were disguised as photography and file manager tools. We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps. The apps have since been removed from Google Play. Figure 1. The three apps related to SideWinder group Figure 2. Certificate information of one of the apps **Installation** SideWinder installs the payload app in two stages. It first downloads a DEX file (an Android file format) from its command and control (C&C) server. We found that the group employs [Apps Conversion Tracking to](https://developers.google.com/app-conversion-tracking) **Will you take a few moments to answer a few ques‐** configure the C&C server address. The address was encoded by Base64 then set to referrer parameter intions surrounding your blog preferences? the URL used in the distribution of the malware. START ----- Figure 3. Parsed C&C Server address After this step, the downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility. All of this is done without user awareness or intervention. To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code. The apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the callCam app on the device. Figure 4. Two-stage payload deployment **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** START **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** ----- To deploy the payload app callCam on the device without the user’s awareness, SideWinder does the following: 1. Device Rooting This approach is done by the dropper app Camero and only works on Google Pixel (Pixel 2, Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A devices. The malware retrieves a specific exploit from the C&C server depending on the DEX downloaded by the dropper. Figure 6. Code snippet from Extra DEX downloaded by Camero We were able to download five exploits from the C&C server during our investigation. They use the vulnerabilities CVE-2019-2215 and MediaTek-SU to get root privilege. Figure 7. CVE-2019-2215 exploit **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** START ----- Figure 8. MediaTek-SU exploit After acquiring root privilege, the malware installs the app callCam, enables its accessibility permission, and then launches it. Figure 9. Commands install app, launch app, and enable accessibility 2. Using the Accessibility Permission This approach is used by the dropper app FileCrypt Manager and works on most typical Android phones above Android 1.6. After its launch, the app asks the user to enable accessibility. **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** START ----- Figure 10. Steps FileCrypt Manager prompts user to do Once granted, the app shows a full screen window that says that it requires further setup steps. In reality, that is just an overlay screen that is displayed on top of all activity windows on the device. The overlay window sets its attributions to [FLAG_NOT_FOCUSABLE and](https://developer.android.com/reference/android/view/WindowManager.LayoutParams.html#FLAG_NOT_FOCUSABLE) [FLAG_NOT_TOUCHABLE, allowing the activity](https://developer.android.com/reference/android/view/WindowManager.LayoutParams.html#FLAG_NOT_TOUCHABLE) windows to detect and receive the users’ touch events through the overlay screen. **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** START ----- Meanwhile, the app invokes code from the extra DEX file to enable the installation of unknown apps and the installation of the payload app callCam. It also enables the payload app’s accessibility permission, and then launches the payload app. All of this happens behind the overlay screen, unbeknownst to the user. And, all these steps are performed by employing Accessibility. Figure 12. Code enabling install of unknown apps and new APK Figure 13. Code enable accessibility permission of the newly installed app **callCam’s Activities** The app callCam hides its icon on the device after being launched. It collects the following information and sends it back to the C&C server in the background: Location Battery status Files on device Installed app list Device information Sensor information Camera information Screenshot Account Wifi i f ti **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** START ----- The app encrypts all stolen data using RSA and AES encryption algorithms. It uses SHA256 to verify data integrity and customize the encoding routine. When encrypting, it creates a block of data we named headData. This block contains the first 9 bytes of origin data, origin data length, random AES IV, the RSAencrypted AES encrypt key, and the SHA256 value of AES-encrypted origin data. Then the headData is encoded through the customized routine. After the encoding, it is stored in the head of the final encrypted file followed by the data of the AES-encrypted original data. Figure 14. Data encryption process **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** Figure 15. Customized encoding routine done **Relation to SideWinder** START ----- SideWinder s infrastructure. In addition, a URL linking to one of the apps Google Play pages is also found on one of the C&C servers. Figure 16. Google Play URL of FileManager app found in one of the C&C servers. **Trend Micro Solutions** Trend Micro solutions such as the [Trend Micro™ Mobile Security for Android™ can detect these malicious](https://www.trendmicro.com/en_us/forHome/products/mobile-security.html) apps. End users can also benefit from its multilayered security capabilities that secure the device owner’s data and privacy and safeguard them from ransomware, fraudulent websites, and identity theft. For organizations, the [Trend Micro Mobile Security for Enterprise suite provides device, compliance, and](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) application management, data protection, and configuration provisioning. It also protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and fraudulent websites. [Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats](https://mars.trendmicro.com/) using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities. **Indicators of Compromise** **SHA256** **Package Name/File type [App Name/Detection]** **Name** ec4d6bf06dd3f94f4555d75c6daaf540dee15b18d62cc004 AndroidOS_SWinderS DEX e774e996c703cb34 py.HRXA a60fc4e5328dc75dad238d46a2867ef7207b8c6fb73e8bd0 AndroidOS_SWinderS DEX 01b323b16f02ba00 py.HRXA 0daefb3d05e4455b590da122255121079e83d48763509b0 ELF AndroidOS_MtkSu.A 688e0079ab5d48886 441d98dff3919ed24af7699be658d06ae8dfd6a12e4129a3 AndroidOS_BinderEx ELF 85754e6218bc24fa p.A ac82f7e4831907972465477eebafc5a488c6bb4d460575c AndroidOS_BinderEx ELF d3889226c390ef8d5 p.A ee679afb897213a3fd09be43806a7e5263563e86ad255fd5 AndroidOS_BinderEx ELF 00562918205226b8 p.A 135cb239966835fefbb346165b140f584848c00c4b6a724 ELF AndroidOS_MtkSu.A ce122de7d999a3251 a265c32ed1ad47370d56cbd287066896d6a0c46c80a0d95 com.callCam.android.call **Will you take a few moments to answer a few ques‐callCamm** 73d2bb915d198ae42 Cam2base **tions surrounding your blog preferences?** **App Name/Detection** **Package Name/File type** **Name** com.abdulrauf.filemanager FileCrypt Manager llC d id llC 2b llC START ----- **C&C Servers** ms-ethics.net deb-cn.net ap1-acl.net ms-db.net aws-check.net reawk.net **MITRE ATT&CK Matrix™** START -----  Recommend t Tweet f Share **Sort by Best** ## Start the discussion… **LOG IN WITH** **OR SIGN UP WITH DISQUS** Name Be the first to comment. ✉ **Subscribe** d **[Add Disqus to your siteAdd DisqusAdd](https://publishers.disqus.com/engage?utm_source=trendlabs&utm_medium=Disqus-Footer)** 🔒 **[Disqus' Privacy PolicyPrivacy PolicyPrivacy](https://disqus.com/)** ## Featured Stories [systemd Vulnerability Leads to Denial of Service on Linux](https://blog.trendmicro.com/trendlabs-security-intelligence/systemd-vulnerability-leads-to-denial-of-service-on-linux/) [qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/) [Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability](https://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2017-5689-intel-management-engine-vulnerability/) [A Closer Look at North Korea’s Internet](https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/) [From Cybercrime to Cyberpropaganda](https://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/) ## Security Predictions for 2019 Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration. [Read our security predictions for 2019.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2019) ## Business Process Compromise **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can l b T l d S it 101 B [i](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) P C STARTi ----- [First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT](https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/) Group [Looking into Attacks and Techniques Used Against WordPress Sites](https://blog.trendmicro.com/trendlabs-security-intelligence/looking-into-attacks-and-techniques-used-against-wordpress-sites/) [Why Running a Privileged Container in Docker Is a Bad Idea](https://blog.trendmicro.com/trendlabs-security-intelligence/why-running-a-privileged-container-in-docker-is-a-bad-idea/) [DDoS Attacks and IoT Exploits: New Activity from Momentum Botnet](https://blog.trendmicro.com/trendlabs-security-intelligence/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet/) [More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting](https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/) ## Popular Posts [More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting](https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/) [Banking Trojan DRIDEX Uses Macros for Infection](https://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/) [Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update](https://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-november-2019-patch-tuesday-reveals-74-patches-before-major-windows-update/) [(Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing](https://blog.trendmicro.com/trendlabs-security-intelligence/almost-hollow-and-innocent-monero-miner-remains-undetected-via-process-hollowing/) [April Patch Tuesday: Microsoft Patches Office Vulnerability Used in Zero-Day Attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/april-patch-tuesday-microsoft-patches-office-vulnerability-used-zero-day-attacks/) ## Stay Updated Email Subscription Your email here [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | [About Trend Micro](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia /](http://www.trendmicro.com.au/au/home/index.html) [New Zealand, 中国, ⽇本, 대한민국, 台灣](http://www.trendmicro.co.nz/nz/home/index.html) Latin America Region (LAR): [Brasil, México](http://br.trendmicro.com/br/home/index.html) North America Region (NABU): [United States, Canada](http://www.trendmicro.com/us/index.html) Europe, Middle East, & Africa Region (EMEA): [France, Deutschland / Österreich / Schweiz, Italia,](http://www.trendmicro.fr/) [Россия, España, United Kingdom / Ireland](http://www.trendmicro.com.ru/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2020 Trend Micro Incorporated. All rights reserved. Your email here Subscribe **Will you take a few moments to answer a few ques‐** **tions surrounding your blog preferences?** START -----