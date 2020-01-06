Loading...

Researchers have found other malicious Google Play apps, one of which exploits a serious Android root vulnerability to allow the app to take screenshots and collect other types of confidential user information.

Camero is exploiting CVE-2019-2215, a potential vulnerability discovered by Google’s Project Zero research group in October. This was reported by Trend Micro researchers on Monday. The subsequent bug made it easy for attackers to gain full root privileges on Pixel 1 and Pixel 2 phones, as well as a variety of other Android models. Google patched the vulnerability in October, a few days after Project Zero researcher Maddie Stone reported it was likely being actively attacked by exploit developer NSO Group or one of its customers. All three apps are no longer available in Play.

Camero connected to a command and control server that contains links to SideWinder, the code name for a malicious hacking group that has been attacking military units since at least 2012. The app then downloaded attack code that exploits CVE-2019-2215 or a separate exploit in the MediaTek-SU driver that installs a spy app called callCam. callCam collected a variety of sensitive user data, including:

place

battery status

Files on the device

List of installed apps

device information

sensor information

camera information

Screenshot

account

Wi-Fi information

Data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail and Chrome

To avoid detection, callCam has hidden the corresponding icon after installation. It also used a complex cryptographic routine to encrypt stolen data before it was sent to attackers-controlled servers. callCam was also available as a standalone Google Play offering that advertised itself as a call and camera app. A third app called FileCrypt Manager installed callCam by misusing Android’s access rights to display screen overlays. Below that, the app installed a number of apps that ended with callCam.

While a certificate in one of the apps indicates that the campaign has been active since March, the web search caches here and here show that Camero and callCam only received five or one installation of Google Play. The number of FileCrypt Manager installations was not determined immediately. Google has removed the apps so that they are no longer available in the official Google Play Store. It remains unclear whether the apps are available elsewhere.

TrendMicro researchers Ecular Xu and Joseph C. Chen suspect that the control servers to which the apps are connected are part of the SideWinder infrastructure. A URL that is linked to one of the apps in Google Play is also on one of the control servers. In 2018, Kaspersky Lab researchers stated that SideWinder was primarily directed against Pakistani military groups and has been active since at least 2012. Last month, a security researcher on Twitter said that SideWinder was likely behind an attack that exploited a patched security hole in the Equation Editor part of Microsoft Office.

People who want to check Android phones for infections find compromises in the TrendMicro report above. Google employees had no comment on this post, except to confirm that the apps were removed from Play.