The Sidewinder APT group has been actively abusing a Binder vulnerability in at least three apps found in the Google Play store.
The three apps, all file manager and photography tools, were uploaded starting in March 2019, but have since been removed. The apps involved are Camero, FileCrypt and callCam. The vulnerability effects several Android devices, including Pixel 1 and 2 phones, enabling an attacker to gain root access.
“Upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities’ Windows machines,” wrote Trend Micro researchers Ecular Xu and Joseph Chen.
The flaw, CVE-2019-2215, is a use-after-free in binder.c that can allow an elevation of privilege from an application to the Linux Kernel. It does require either the installation of a malicious local application or a separate vulnerability in a network facing application.
Once the malicious app is on the device the download procedure begins. The first of two stages sees a DEX file being downloaded from the command and control server which in turn downloads an APK file. These actions take place outside the view of the device owner.
The command and control server contains several exploits based on CVE-2019-2215 and the rooting tool MediaTek-SU to gain root access on the device. Once root access is gained the app callCam is installed to give the attacker access to the device.
At this point the device owner is brought back into the attack when the malware asks for additional steps to be taken to complete the apps setup. What is really happening is the owner is viewing an overlay screen that is displayed on top of all activity windows on the device.
“The overlay window sets its attributions to FLAG_NOT_FOCUSABLE and FLAG_NOT_TOUCHABLE, allowing the activity windows to detect and receive the users’ touch events through the overlay screen,” the researchers said.
CallCam’s capabilities are then used to gain access to the following information:
The stolen data is encrypted for transmission the C2 server.