Security experts have found a malicious app in the Google Play that exploits the recently patched CVE-2019-2215 zero-day vulnerability.

Earlier October, Google Project Zero researchers Maddie Stone publicly disclosed a zero-day vulnerability, tracked as CVE-2019-2215, in Android.

Maddie Stone published technical details and a proof-of-concept exploit for the high-severity security vulnerability, seven days after she reported it to the colleagues of the Android security team.

The flaw is a use-after-free vulnerability that affects the Android kernel’s binder driver, it could be exploited by a local privileged attacker or a malicious app to escalate privileges to gain root access to a vulnerable device. Experts warn it could potentially allow to fully compromise the device.

The flaw affects versions of Android kernel released before April last year. This vulnerability was addressed in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4]. The expert pointed out that Pixel 2 with most recent security bulletin is still vulnerable based on source code review.

This means that most of the Android devices available on the market with the unpatched kernel are still vulnerable to this vulnerability, even is the owners have installed the latest Android security updates.

Some of the devices which appear to be vulnerable based on source code review are:

1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)

2) Huawei P20

3) Xiaomi Redmi 5A

4) Xiaomi Redmi Note 5

5) Xiaomi A1

6) A3

7) Moto Z3

8) Oreo LG phones (run according to )

9) Samsung S7, S8, S9

Maddie Stone explained that the flaw is accessible from inside the Chrome sandbox, the issue is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain. This means that a remote attacker could potentially exploit the flaw by chaining it with a Chrome rendering issue

In October, the researchers Grant Hernandez, a PhD candidate at the Florida Institute of Cyber Security at the University of Florida, has publicly disclosed a PoC exploit code for the CVE-2019-2215 vulnerability.

In October, Google released the October 2019 set of Android fixes that addressed the flaw.

According to Stone, the CVE-2019-2215 vulnerability was being used or sold by the controversial surveillance firm NSO Group, it was exploited by its surveillance software Pegasus.

“This credible evidence included the leads and details outlined above in the “Hunting the Bug” section, and how after a detailed review of kernel patches, all requirements perfectly aligned with one bug (and only one bug).” reads a blog post published by Stone.

“The examined information included marketing materials for this exploit, and that the exploit was used to install a version of Pegasus. With this evidence, we decided that although we did not have an exploit sample, the risk to users was too great to wait 90 days for a patch and disclosure, and thus reported this to Android under a 7-day deadline.”.

Security experts at Trend Micro discovered that at least three malicious apps were available in the official Google Play store since March 2019, The researchers pointed out that the apps are working together to compromise devices and collect user information, and one of them uses the CVE-2019-2215 exploits.

“We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information.” reads the analysis published by Trend Micro. “One of these apps, called Camero , exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses the use-after-free vulnerability.”

Interestingly, upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities’ Windows machines.

The three malicious apps were disguised as photography and file manager tools, according to Trend Micro they are part of the arsenal used by a threat actor tracked as SideWinder.

The attackers install the payload app in two stages, it first downloads a DEX file from the C2 server, then the downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility.

“The apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the callCam app on the device.” continues the analysis.

In order to root the device, Camero retrieves a specific exploit from the C&C, it works on Pixel 2, Pixel 2 XL, Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A devices. The researchers downloaded five exploits from the server, including CVE-2019-2215 and MediaTek-SU, that are used to achieve root privileges before installing callCam .

The FileCrypt Manager, on the other hand, asks the user to enable the accessibility permission, then shows a full-screen window that says it needs further setup steps. The window is used to hide malicious activity, the malicious code installs callCam and enables the accessibility permission for it.

The app callCam collects data such as location, battery status, files on device, installed app list, device information, sensor information, camera information, account details, Wi-Fi information, screenshots, and data from WeChat , Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome. Collected data is encrypted using RSA and AES encryption algorithms, then it is sent to the C&C server.

Additional technical details, including the Indicators of Compromise, are reported in the analysis published by Trend Micro.

Pierluigi Paganini