• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

DOJ takes action against 22-year-old running RapperBot Botnet

 | 

Google fixed Chrome flaw found by Big Sleep AI

 | 

Pharmaceutical firm Inotiv discloses ransomware attack. Qilin group claims responsibility for the hack

 | 

A hacker tied to Yemen Cyber Army gets 20 months in prison

 | 

Exploit weaponizes SAP NetWeaver bugs for full system compromise

 | 

Allianz Life security breach impacted 1.1 million customers

 | 

U.S. CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog

 | 

AI for Cybersecurity: Building Trust in Your Workflows

 | 

Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

 | 

New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

 | 

Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

 | 

'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

 | 

Hackers exploit Microsoft flaw to breach Canada ’s House of Commons

 | 

Norway confirms dam intrusion by Pro-Russian hackers

 | 

Zoom patches critical Windows flaw allowing privilege escalation

 | 

Manpower data breach impacted 144,180 individuals

 | 

U.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical FortiSIEM flaw under active exploitation, Fortinet warns

 | 

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Malware
  • Mobile
  • Malicious app exploiting CVE-2019-2215 zero-day available in Google Play since March

Malicious app exploiting CVE-2019-2215 zero-day available in Google Play since March

Pierluigi Paganini January 07, 2020

Security experts have found a malicious app in the Google Play that exploits the recently patched CVE-2019-2215 zero-day vulnerability.

Earlier October, Google Project Zero researchers Maddie Stone publicly disclosed a zero-day vulnerability, tracked as CVE-2019-2215, in Android.

Maddie Stone published technical details and a proof-of-concept exploit for the high-severity security vulnerability, seven days after she reported it to the colleagues of the Android security team.

The flaw is a use-after-free vulnerability that affects the Android kernel’s binder driver, it could be exploited by a local privileged attacker or a malicious app to escalate privileges to gain root access to a vulnerable device. Experts warn it could potentially allow to fully compromise the device.

The flaw affects versions of Android kernel released before April last year. This vulnerability was addressed in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4]. The expert pointed out that Pixel 2 with most recent security bulletin is still vulnerable based on source code review.

This means that most of the Android devices available on the market with the unpatched kernel are still vulnerable to this vulnerability, even is the owners have installed the latest Android security updates.

Some of the devices which appear to be vulnerable based on source code review are:

1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) A3
7) Moto Z3
8) Oreo LG phones (run according to )
9) Samsung S7, S8, S9

Maddie Stone explained that the flaw is accessible from inside the Chrome sandbox, the issue is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain. This means that a remote attacker could potentially exploit the flaw by chaining it with a Chrome rendering issue

In October, the researchers Grant Hernandez, a PhD candidate at the Florida Institute of Cyber Security at the University of Florida, has publicly disclosed a PoC exploit code for the CVE-2019-2215 vulnerability.

In October, Google released the October 2019 set of Android fixes that addressed the flaw.

According to Stone, the CVE-2019-2215 vulnerability was being used or sold by the controversial surveillance firm NSO Group, it was exploited by its surveillance software Pegasus.

“This credible evidence included the leads and details outlined above in the “Hunting the Bug” section, and how after a detailed review of kernel patches, all requirements perfectly aligned with one bug (and only one bug).” reads a blog post published by Stone.

“The examined information included marketing materials for this exploit, and that the exploit was used to install a version of Pegasus. With this evidence, we decided that although we did not have an exploit sample, the risk to users was too great to wait 90 days for a patch and disclosure, and thus reported this to Android under a 7-day deadline.”.

Security experts at Trend Micro discovered that at least three malicious apps were available in the official Google Play store since March 2019, The researchers pointed out that the apps are working together to compromise devices and collect user information, and one of them uses the CVE-2019-2215 exploits.

“We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information.” reads the analysis published by Trend Micro. “One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses the use-after-free vulnerability.”

Interestingly, upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities’ Windows machines.

The three malicious apps were disguised as photography and file manager tools, according to Trend Micro they are part of the arsenal used by a threat actor tracked as SideWinder.

The attackers install the payload app in two stages, it first downloads a DEX file from the C2 server, then the downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility. 

“The apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the callCam app on the device.” continues the analysis.

apps exploits CVE-2019-2215 2.png

In order to root the device, Camero retrieves a specific exploit from the C&C, it works on Pixel 2, Pixel 2 XL, Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A devices. The researchers downloaded five exploits from the server, including CVE-2019-2215 and MediaTek-SU, that are used to achieve root privileges before installing callCam.

The FileCrypt Manager, on the other hand, asks the user to enable the accessibility permission, then shows a full-screen window that says it needs further setup steps. The window is used to hide malicious activity, the malicious code installs callCam and enables the accessibility permission for it.

The app callCam collects data such as location, battery status, files on device, installed app list, device information, sensor information, camera information, account details, Wi-Fi information, screenshots, and data from WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome. Collected data is encrypted using RSA and AES encryption algorithms, then it is sent to the C&C server.

Additional technical details, including the Indicators of Compromise, are reported in the analysis published by Trend Micro.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Android, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Android CVE-2019-2215 hacking news information security news Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini August 20, 2025
DOJ takes action against 22-year-old running RapperBot Botnet
Read more
Pierluigi Paganini August 20, 2025
Google fixed Chrome flaw found by Big Sleep AI
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    DOJ takes action against 22-year-old running RapperBot Botnet

    Cyber Crime / August 20, 2025

    Google fixed Chrome flaw found by Big Sleep AI

    Security / August 20, 2025

    Pharmaceutical firm Inotiv discloses ransomware attack. Qilin group claims responsibility for the hack

    Data Breach / August 20, 2025

    A hacker tied to Yemen Cyber Army gets 20 months in prison

    Cyber Crime / August 20, 2025

    Exploit weaponizes SAP NetWeaver bugs for full system compromise

    Security / August 20, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT