Google has pulled three malicious apps from Google Play, one of which exploits a recently patched kernel privilege escalation bug in Android (CVE-2019-2215) to install the app aimed at spying on users.
The existence of CVE-2019-2215 was discovered in late 2019 when it was spotted being exploited in the wild.
Researchers with Google’s Threat Analysis Group and other external parties believe that the exploit originated with NSO Group, an Israel-based company that specializes in lawful surveillance software and whose Pegasus mobile spyware is abused by oppressive regimes to spy on “enemies”.
At the time, the Android team considered the bug to be of high severity and pointed out that a malicious application has to be installed on the target device to perform the exploit.
About the newly discovered malicious apps
Trend Micro researchers discovered three malicious apps on Google Play:
- Camero – disguised as photo app
- FileCrypt Manager – disguised as a file manager app
- callCam – disguised as a camera calling app.
The first two acted as a dropper for the third one, which would perform the actual spying.
The Camero app would download a DEX file from a C&C, which would then download the callCam APK file and use the CVE-2019-2215 exploit to root the device, install the app and launch it without any user interaction or the user’s knowledge.
“This approach (…) only works on Google Pixel (Pixel 2, Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A devices,” the researchers noted.
The FileCrypt Manager app would ask users to enable Android Accessibility Services and, if they did, would install and launch the callCam app.
The app callCam hides its icon after being launched, so users wouldn’t notice it.
It collects, encrypts, and sends back to the C&C server information such as:
- Battery status
- Files on device
- Installed app list
- Device information
- Sensor information
- Camera information
- Wifi information
- Data of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome
Apps used by state-sponsored APT?
State-sponsored hackers occasionally take advantage of Google Play to deliver malicious apps to their targets.
This latest malicious trio has been tied to SideWinder, a threat actor group that has been known to target Pakistani military targets in the past, as they connect to C&C servers that are suspected to be part of SideWinder’s infrastructure.
A patch for CVE-2019-2215 has been provided by Google almost soon after the flaw was first spotted being exploited, but it’s unlikely that it has been disseminated to all Android users out there.
As always, users are advised to be careful about the apps they install on their devices. Google Play may host a much lesser number of malicious apps than a random third-party app marketplace, but the threat, however small, persists.