Here we go again: Software nasties slip into Google Play, exploit make-me-root Android flaw for maximum pwnage
Apps spotted abusing use-after-free() bug seven months before patch
At least three malicious apps with device-hijacking exploits have made it onto the Google Play Store in recent weeks.
This is according to eggheads at Trend Micro, who found that the since-removed applications were all abusing a use-after-free() flaw in the operating system to elevate their privileges, and pull down and run further malware from a command-and-control server. The malicious apps were Camero, FileCrypt, and callCam, so check if you still have them installed.
"The three malicious apps were disguised as photography and file manager tools," said Trend researchers Ecular Xu and Joseph Chen on Monday.
"We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps."
The exploited programming blunder was CVE-2019-2215, a use-after-free() vulnerability present in the inter-process messaging system of the Android kernel, specifically in binder.c. Successful exploitation of the flaw allows a local app to execute arbitrary code on the infected gizmo with kernel-level privileges, aka God mode.
It is not clear how many times the apps had been installed, though the reach may have been minimal as a screencap for Camero lists its installs at "5+".
Interestingly, while the apps themselves have been available since March 2019, the fix for CVE-2019-2215 was only posted in the October 2019 Android security update. However, the exploit for that vulnerability may have been added after March, such as when the hole was first disclosed.
Google: We caught a Russian state hacker crew uploading badness to the Play StoreREAD MORE
According to the researchers, exploitation occurred when a victim downloaded either Camero or FileCrypt Manager. The supposedly legitimate apps contacted a command and control server from which they download a pair of files that, in tandem, exploited CVE-2019-2215 to gain kernel-level privileges and installed the final piece of the scheme, the callCam app.
The callCam tool is able to collect device hardware information as well as location, installed apps, and data from specific applications like WeChat, Outlook, Twitter, Yahoo Mail, Gmail, and the Chrome browser. The pilfered data is then stored as an encrypted file for upload at a later time.
It is believed that, based on the command and control servers, the group behind the infections is the SideWinder crew, a hacking operation active since 2012.
The team is believed to have largely targeted government and military systems in Pakistan and has until now relied mostly on exploits and malware for Windows PCs. ®