Trend Micro specialists found in the official Android app store three applications at once (Camero, FileCrypt Manager and callCam) associated with the Sidewinder group specializing in cyber spyware attacks.
According to experts, these applications have used the critical vulnerability CVE-2019-2215 at least since March 2019. That is, seven months before this problem was first discovered by information security specialists. Let me remind you that this vulnerability represents a local privilege escalation and can help an attacker gain root access to the target device. Also, the bug can be used remotely in combination with other bugs.
According to Trend Micro, the FileCrypt Manager and Camero applications act as droppers, that is, they connect to a remote attacker server to download the DEX file, which then downloads the callCam application and tries to install it using vulnerabilities to elevate privileges or abuse the Accessibility Service. In addition to CVE-2019-2215, malicious applications also try to exploit the vulnerability in the MediaTek-SU driver to obtain root privileges and trying to gain a foothold in the system.
The attack occurs without the intervention of the user and his knowledge. To avoid detection, criminals used obfuscation, data encryption, and so on.
After installation, the callCam application hides its icon from the user, collects and steals the following information from the hacked device, then transferring it to the management server:
- location data;
- battery level data;
- information about files on the device;
- list of installed applications;
- Device Information;
- Sensor Information
- camera information;
- account information;
- Wi-Fi information
- data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail and
Based on information about the control servers of the Malvari, researchers attributed this malicious campaign to the Sidewinder spy group, which is considered Indian and usually attacks organizations associated with the Pakistani military.
Currently, all three applications have already been removed from Google Play.