{ "id": "717ba9ac-1fce-4d38-bd31-908e9f853cb4", "created_at": "2026-04-06T00:20:12.460931Z", "updated_at": "2026-04-10T03:37:20.339744Z", "deleted_at": null, "sha1_hash": "f9be263b232d231a32aed9a83ea0e83fb9b5e3d1", "title": "First Binder Exploit Linked to SideWinder APT Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 87158, "plain_text": "First Binder Exploit Linked to SideWinder APT Group\r\nBy By: Ecular Xu, Joseph C Chen Jan 06, 2020 Read time: 4 min (1109 words)\r\nPublished: 2020-01-06 · Archived: 2026-04-02 10:54:52 UTC\r\nUpdated January 8, 2020 5PM EST with a video showing the exploit of  CVE-2019-2215.\r\nWe found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user\r\ninformation. One of these apps, called Camero, exploits CVE-2019-2215open on a new tab, a vulnerability that exists in\r\nBinder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses\r\nthe use-after-free vulnerabilityopen on a new tab. Interestingly, upon further investigation we also found that the three apps\r\nare likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a group that has been active since 2012, is a\r\nknown threat and has reportedly targeted military entities’ Windows machinesopen on a new tab.\r\nThe three malicious apps were disguised as photography and file manager tools. We speculate that these apps have been\r\nactive since March 2019 based on the certificate information on one of the apps. The apps have since been removed from\r\nGoogle Play.\r\nintel\r\nFigure 1. The three apps related to SideWinder group\r\nintel\r\nFigure 2. Certificate information of one of the apps\r\nInstallation\r\nSideWinder installs the payload app in two stages. It first downloads a DEX file (an Android file format) from its command\r\nand control (C\u0026C) server. We found that the group employs Apps Conversion Trackingopen on a new tab to configure the\r\nC\u0026C server address. The address was encoded by Base64 then set to referrer parameter in the URL used in the distribution\r\nof the malware.\r\nintel\r\nFigure 3. Parsed C\u0026C Server address\r\nAfter this step, the downloaded DEX file downloads an APK file and installs it after exploiting the device or employing\r\naccessibility. All of this is done without user awareness or intervention. To evade detection, it uses many techniques such as\r\nobfuscation, data encryption, and invoking dynamic code.\r\nThe apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C\u0026C server, the\r\nsecond-layer droppers invoke extra code to download, install, and launch the callCam app on the device.\r\nintel\r\nFigure 4. Two-stage payload deployment\r\nintel\r\nFigure 5. Code showing how the dropper invokes extra DEX code\r\nTo deploy the payload app callCam on the device without the user’s awareness, SideWinder does the following:\r\n1. Device Rooting\r\nThis approach is done by the dropper app Camero and only works on Google Pixel (Pixel 2, Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A devices. The malware retrieves a specific exploit from the\r\nC\u0026C server depending on the DEX downloaded by the dropper.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/\r\nPage 1 of 4\n\nFigure 6. Code snippet from Extra DEX downloaded by Camero\r\nWe were able to download five exploits from the C\u0026C server during our investigation. They use the vulnerabilities CVE-2019-2215 and MediaTek-SU to get root privilege.\r\nintel\r\nFigure 7. CVE-2019-2215 exploit\r\nintel\r\nFigure 8. MediaTek-SU exploit\r\nAfter acquiring root privilege, the malware installs the app callCam, enables its accessibility permission, and then launches\r\nit.\r\nintel\r\nFigure 9. Commands install app, launch app, and enable accessibility\r\n2. Device Rooting\r\nThis approach is used by the dropper app FileCrypt Manager and works on most typical Android phones above Android 1.6.\r\nAfter its launch, the app asks the user to enable accessibility.\r\nintel\r\nFigure 10. Steps FileCrypt Manager prompts user to do\r\nOnce granted, the app shows a full screen window that says that it requires further setup steps. In reality, that is just an\r\noverlay screen that is displayed on top of all activity windows on the device. The overlay window sets its attributions to\r\nFLAG_NOT_FOCUSABLEopen on a new tab and FLAG_NOT_TOUCHABLEopen on a new tab, allowing the activity\r\nwindows to detect and receive the users’ touch events through the overlay screen.\r\nintel\r\nFigure 11. Overlay screen\r\nMeanwhile, the app invokes code from the extra DEX file to enable the installation of unknown apps and the installation of\r\nthe payload app callCam. It also enables the payload app’s accessibility permission, and then launches the payload app. All\r\nof this happens behind the overlay screen, unbeknownst to the user. And, all these steps are performed by employing\r\nAccessibility.\r\nintel\r\nFigure 12. Code enabling install of unknown apps and new APK\r\nintel\r\nFigure 13. Code enable accessibility permission of the newly installed app\r\nThe video below demonstrates payload deployment via CVE-2019-2215 on Pixel 2:\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/\r\nPage 2 of 4\n\ncallCam’s Activities\r\nThe app callCam hides its icon on the device after being launched. It collects the following information and sends it back to\r\nthe C\u0026C server in the background:\r\nLocation\r\nBattery status\r\nFiles on device\r\nInstalled app list\r\nDevice information\r\nSensor information\r\nCamera information\r\nScreenshot\r\nAccount\r\nWifi information\r\nData of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome\r\nThe app encrypts all stolen data using RSA and AES encryption algorithms. It uses SHA256 to verify data integrity and\r\ncustomize the encoding routine. When encrypting, it creates a block of data we named headData. This block contains the\r\nfirst 9 bytes of origin data, origin data length, random AES IV, the RSA-encrypted AES encrypt key, and the SHA256 value\r\nof AES-encrypted origin data. Then the headData is encoded through the customized routine. After the encoding, it is stored\r\nin the head of the final encrypted file followed by the data of the AES-encrypted original data.\r\nintel\r\nFigure 14. Data encryption process\r\nintel\r\nFigure 15. Customized encoding routine done\r\nRelation to SideWinder\r\nThese apps may be attributed to SideWinder as the C\u0026C servers it uses are suspected to be part of SideWinder’s\r\ninfrastructureopen on a new tab. In addition, a URL linking to one of the apps’ Google Play pages is also found on one of the\r\nC\u0026C servers.\r\nintel\r\nFigure 16. Google Play URL of FileManager app found in one of the C\u0026C servers.\r\nTrend Micro Solutions\r\nTrend Micro solutions such as the Trend Micro™ Mobile Security for Android™open on a new tab can detect these\r\nmalicious apps. End users can also benefit from its multilayered security capabilities that secure the device owner’s data and\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/\r\nPage 3 of 4\n\nprivacy and safeguard them from ransomware, fraudulent websites, and identity theft.\r\nFor organizations, the Trend Micro Mobile Security for Enterpriseopen on a new tab suite provides device, compliance, and\r\napplication management, data protection, and configuration provisioning. It also protects devices from attacks that exploit\r\nvulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and fraudulent websites. Trend\r\nMicro’s Mobile App Reputation Serviceopen on a new tab (MARS) covers Android and iOS threats using leading sandbox\r\nand machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and\r\napplication vulnerabilities.    \r\nIndicators of Compromise  \r\nSHA256 Package Name/File type App Name/Detecti\r\nec4d6bf06dd3f94f4555d75c6daaf540dee15b18d62cc004e774e996c703cb34 DEX AndroidOS_SWind\r\na60fc4e5328dc75dad238d46a2867ef7207b8c6fb73e8bd001b323b16f02ba00 DEX AndroidOS_SWind\r\n0daefb3d05e4455b590da122255121079e83d48763509b0688e0079ab5d48886 ELF AndroidOS_MtkSu\r\n441d98dff3919ed24af7699be658d06ae8dfd6a12e4129a385754e6218bc24fa ELF AndroidOS_Binder\r\nac82f7e4831907972465477eebafc5a488c6bb4d460575cd3889226c390ef8d5 ELF AndroidOS_Binder\r\nee679afb897213a3fd09be43806a7e5263563e86ad255fd500562918205226b8 ELF AndroidOS_Binder\r\n135cb239966835fefbb346165b140f584848c00c4b6a724ce122de7d999a3251 ELF AndroidOS_MtkSu\r\na265c32ed1ad47370d56cbd287066896d6a0c46c80a0d9573d2bb915d198ae42 com.callCam.android.callCam2base callCamm\r\nPackage Name/File type App Name/Detection Name\r\ncom.abdulrauf.filemanager FileCrypt Manager\r\ncom.callCam.android.callCam2base callCamm\r\ncom.camero.android.camera2basic Camero\r\nC\u0026C Servers\r\nms-ethics.net         \r\ndeb-cn.net\r\nap1-acl.net m\r\ns-db.net           \r\naws-check.net\r\nreawk.net\r\nMITRE ATT\u0026CK Matrix™\r\nintel\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinde\r\nr-apt-group/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/" ], "report_names": [ "first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group" ], "threat_actors": [ { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434812, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9be263b232d231a32aed9a83ea0e83fb9b5e3d1.pdf", "text": "https://archive.orkl.eu/f9be263b232d231a32aed9a83ea0e83fb9b5e3d1.txt", "img": "https://archive.orkl.eu/f9be263b232d231a32aed9a83ea0e83fb9b5e3d1.jpg" } }