First Active Attack Exploiting CVE-2019-2215 - Found on Google Play

upnorth

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,403
2
65,358
6,699
Sweden
Content source
https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/
We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses the use-after-free vulnerability. Interestingly, upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities’ Windows machines.

The three malicious apps were disguised as photography and file manager tools. We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps. The apps have since been removed from Google Play.
Click to expand...
Fig-1.png
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: Solarquest, LASER_oneXM, Deletedmessiah and 6 others
CVE-2019-2215 permits attackers to fully compromise a device with only untrusted app access or a browser renderer exploit and despite the patch being available in the upstream Linux kernel, it was left unpatched in Android devices for almost 2 years. In that time, we believe that attackers have been able to use this vulnerability to exploit users in the wild. Given the information in various public documents about the services that NSO Group provides, it seems most likely that this vulnerability was chained with either a browser renderer exploit or other remote capability.

Kernel vulnerabilities in Android are especially dangerous because they are largely the same across different devices, whereas other components on the device, such as the framework, SOC, or pre-installed apps, are often customized from one device to another and across different manufactures. With this single kernel vulnerability, the majority of Android devices manufactured prior to September 2018 were vulnerable.
Click to expand...

Bad Binder: Android In-The-Wild Exploit - Project Zero

Posted by Maddie Stone, Project ZeroIntroductionOn October 3, 2019, we disclosed issue 1942 (CVE-2019-2215), which is a use-after-free in Binder in the Andro...
googleprojectzero.blogspot.com googleprojectzero.blogspot.com



Huawei got this exploit fixed in it's Android security release for October 2019 .

Information about Google, LG, Motorola, Nokia and Samsung is available here.

Android Security and Update Bulletins | Android Open Source Project

source.android.com source.android.com
For other brands/vendors users have to check their respective sites for more information.
 
  • Like
  • +Reputation
Reactions: Solarquest, LASER_oneXM, SeriousHoax and 4 others
You must log in or register to reply here.

You may also like...