SideWinder APT abuses Binder flaw as part of cyber-espionage operation

The first active attack exploiting a high-profile Android security vulnerability has been found on the Google Play store.

Researchers at Trend Micro recently identified three malicious apps in Google Play that work in conjunction with each other to compromise a victim’s Android device and steal user data.

One of these apps, Camero, exploits CVE-2019-2215 – a flaw in Binder disclosed by Google in November that can be used to gain root privileges on targeted devices. Binder is the main inter-process communication system in Android.

The dodgy apps – disguised as photography and file manager tools – appear to have been active for months from last March up until their recent discovery, based on the date their associated digital certificates were created.

They have since been pulled from Google Play. Fortunately, stats suggest the dodgy apps were only downloaded around 10 times.

Malicious Android apps are, unfortunately, all too common. And the low number of installs shouldn’t mean a threat associated with targeted attacks can be safely ignored.


Read more of the latest mobile security news from The Daily Swig


Trend Micro researchers state that their latest discovery stands out from the crowd because it represents the “first known active attack in the wild that uses the use-after-free vulnerability”.

Although Google warned in November that the same vulnerability appeared to be under active attack, the latest sighting represents a confirmed – rather than suspected – sighting, Trend Micro told The Daily Swig.

“In Google’s blog, Google just suspected that the vulnerability was being exploited by the NSO Group but had no sufficient proof and no related report was published,” Trend Micro explained.

“In our blog, we are talking about the confirmed and active attack abusing this flaw, it is the first time.”

Further work by Trend Micro researchers uncovered evidence that linked the threat to the SideWinder APT group, a cyber-espionage operation active since 2012.

The link arises from the use in the Camero attacks of command and control servers suspected to be a part of SideWinder’s infrastructure.

Pakistan military organizations have been among those historically under attack from the SideWinder group.


READ MORE Apple makes bug bounty program public and lifts payout ceiling to $1.5m