If you have any of the below-mentioned file managers and photography apps installed on your Android phone – even if downloaded from the official Google Store store – you have been hacked and being tracked.
These newly detected malicious Android apps are Camero, FileCrypt, and callCam that are believed to be linked to Sidewinder APT, a sophisticated hacking group specialized in cyber espionage attacks.
According to cybersecurity researchers at Trend Micro, these apps were exploiting a critical use-after-free vulnerability in Android at least since March last year – that’s 7 months before the same flaw was first discovered as zero-day when Google researcher analysed a separate attack developed by Israeli surveillance vendor NSO Group.
“We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps,” the researchers said.
Tracked as CVE-2019-2215, the vulnerability is a local privilege escalation issue that allows full root compromise of a vulnerable device and could also be exploited remotely when combined with a separate browser rendering flaw.
The flaw was initially addressed in December 2017 in the 4.14 Linux kernel, the Android Open Source Project (AOSP) 3.18 kernel, AOSP 4.4 kernel, and AOSP 4.9 kernel. Two years later, it was still impacting Pixel 2; Pixel 1; Huawei P20; Xiaomi Redmi 5A, Redmi Note 5, and A1; Oppo A3; Motorola Moto Z3; LG phones running Android 8 Oreo; and Samsung Galaxy S7, S8 and S9 models.
Google included patches for the flaw in its October 2019 set of Android fixes and a proof-of-concept was published a couple of weeks later.
When first detailing the bug, Stone said that she had received information that an exploit for it existed, and that it was being used by Israeli spyware company NSO, which is known for building the infamous iOS malware Pegasus.
In a November blog detailing the finding, she revealed that the “information included marketing materials for this exploit,” and also said that the exploit was allegedly “used to install a version of Pegasus.”
This Spyware Secretly Root Your Android Phone
According to Trend Micro, FileCrypt Manager and Camero act as droppers and connect to a remote command and control server to download a DEX file, which then downloads the callCam app and tries to install it by exploiting privilege escalation vulnerabilities or abusing accessibility feature.
“All of this is done without user awareness or intervention. To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code,” the researchers said.
Once installed, the callCam hides its icon from the menu, collects the following information from the compromised device, and sends it back to the attacker’s C&C server in the background:
- Battery status
- Files on device
- Installed app list
- Device information
- Sensor information
- Camera information
- Wifi information
- Data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome.
The app encrypts all stolen data using RSA and AES encryption algorithms. It uses SHA256 to verify data integrity and customize the encoding routine. When encrypting, it creates a block of data we named headData. This block contains the first 9 bytes of origin data, origin data length, random AES IV, the RSA-encrypted AES encrypt key, and the SHA256 value of AES-encrypted origin data. Then the headData is encoded through the customized routine. After the encoding, it is stored in the head of the final encrypted file followed by the data of the AES-encrypted original data.
Figure Data encryption process
Figure Customized encoding routine done
Besides CVE-2019-2215, the malicious apps also try to exploit a separate vulnerability in the MediaTek-SU driver to get root privilege and stay persistent on a wide range of Android handsets.
Based on the overlap in location of the command and control servers, researchers have attributed the campaign to SideWinder, believed to be an Indian espionage group that historically targeted organizations linked to the Pakistani Military.
Relation to SideWinder
These apps may be attributed to SideWinder as the C&C servers it uses are suspected to be part of SideWinder’s infrastructure. In addition, a URL linking to one of the apps’ Google Play pages is also found on one of the C&C servers.
Figure Google Play URL of FileManager app found in one of the C&C servers.
How to Protect Android Phone from Malware
Google has now removed all the above-mentioned malicious apps from Play Store, but since Google systems are not sufficient to keep bad apps out of the official store, you have to be very careful about downloading apps.
To check if your device is being infected with this malware, go to Android system settings → App Manager, look for listed package names and uninstall it.
To protect your device against most cyber threats, you are recommended to take simple but effective precautions like:
- keep devices and apps up-to-date,
- avoid app downloads from unfamiliar sources,
- always pay close attention to the permissions requested by apps,
- frequently back up data, and
- install a good antivirus app that protects against this malware and similar threats.
To prevent yourself from being targeted by such apps, always beware of fishy apps, even when downloading from Google Play Store, and try to stick to the trusted brands only.
In addition, always look at the app reviews left by other users who have downloaded the app, and also verify app permissions before installing any app and grant only those permissions that are relevant for the app’s purpose.