We found that the group employs Apps Conversion Tracking to configure the C&C server address. It first downloads a DEX file (an Android file format) from its command and control (C&C) server. SideWinder installs the payload app in two stages. Certificate information of one of the apps Installation The three apps related to SideWinder groupįigure 2. The apps have since been removed from Google Play.įigure 1. We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps. The three malicious apps were disguised as photography and file manager tools. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities’ Windows machines. Interestingly, upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. This is the first known active attack in the wild that uses the use-after-free vulnerability. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information. Updated Janu5PM EST with a video showing the exploit of CVE-2019-2215.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |