Jump to content

Here we go again: Software nasties slip into Google Play, exploit make-me-root Android flaw for maximum pwnage


Recommended Posts

Apps spotted abusing use-after-free() bug seven months before patch




At least three malicious apps with device-hijacking exploits have made it onto the Google Play Store in recent weeks.


This is according to eggheads at Trend Micro, who found that the since-removed applications were all abusing a use-after-free() flaw in the operating system to elevate their privileges, and pull down and run further malware from a command-and-control server. The malicious apps were Camero, FileCrypt, and callCam, so check if you still have them installed.


"The three malicious apps were disguised as photography and file manager tools," said Trend researchers Ecular Xu and Joseph Chen on Monday.


"We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps."


The exploited programming blunder was CVE-2019-2215, a use-after-free() vulnerability present in the inter-process messaging system of the Android kernel, specifically in binder.c. Successful exploitation of the flaw allows a local app to execute arbitrary code on the infected gizmo with kernel-level privileges, aka God mode.


It is not clear how many times the apps had been installed, though the reach may have been minimal as a screencap for Camero lists its installs at "5+".


Interestingly, while the apps themselves have been available since March 2019, the fix for CVE-2019-2215 was only posted in the October 2019 Android security update. However, the exploit for that vulnerability may have been added after March, such as when the hole was first disclosed.


According to the researchers, exploitation occurred when a victim downloaded either Camero or FileCrypt Manager. The supposedly legitimate apps contacted a command and control server from which they download a pair of files that, in tandem, exploited CVE-2019-2215 to gain kernel-level privileges and installed the final piece of the scheme, the callCam app.


The callCam tool is able to collect device hardware information as well as location, installed apps, and data from specific applications like WeChat, Outlook, Twitter, Yahoo Mail, Gmail, and the Chrome browser. The pilfered data is then stored as an encrypted file for upload at a later time.


It is believed that, based on the command and control servers, the group behind the infections is the SideWinder crew, a hacking operation active since 2012.


The team is believed to have largely targeted government and military systems in Pakistan and has until now relied mostly on exploits and malware for Windows PCs.



  • Like 3
Link to comment
Share on other sites

God help the majority of Android phones that no longer receive OTA or security updates simply because they are older than 2 years which is a ridiculously short period of time..

Hopefully this will change with devices that come with Android 10 preinstalled since they use project Mainline that separates security portions of Android from the rest of the OS so security updates can/will be delivered just like regular updates through Google play.

meanwhile I think Huawei phones are safer because they don't incorporate Google services.

  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...