| Category | Details |
|---|---|
| Threat Actors | SideWinder APT, an Indian espionage group targeting organizations linked to the Pakistani military. |
| Campaign Overview | Use of malicious Android apps (Camero, FileCrypt, and callCam) to exploit vulnerabilities, root devices, and exfiltrate sensitive user data for espionage. |
| Target Regions (Victims) | Android users worldwide, with a focus on individuals and organizations of interest to SideWinder APT. |
| Methodology | Exploiting CVE-2019-2215 (use-after-free vulnerability) and MediaTek-SU driver flaws, using apps as droppers to install spyware, employing obfuscation and encryption for evasion, and hiding app icons to remain undetected. |
| Product Targeted | Android devices, specifically apps like WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, Chrome, and general device data. |
| Malware Reference | Camero, FileCrypt, and callCam apps. |
| Tools Used | Droppers (Camero, FileCrypt), spyware payload (callCam), privilege escalation via CVE-2019-2215, dynamic code invocation, and obfuscation techniques. |
| Vulnerabilities Exploited | CVE-2019-2215 (local privilege escalation) and MediaTek-SU driver vulnerability for persistent root access. |
| TTPs | – Deploying spyware through fake apps. – Exploiting privilege escalation vulnerabilities. – Data exfiltration via C&C servers. – Hiding app icons for stealth. |
| Attribution | SideWinder APT, attributed based on overlap in the location of command-and-control servers and historical targeting of Pakistani military-linked organizations. |
| Recommendations | – Keep devices and apps up-to-date. – Avoid downloading apps from unfamiliar sources. – Review app permissions before installation. – Back up data regularly. – Install reputable antivirus software. – Stay cautious of apps on Google Play Store. |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2020/01/android-zero-day-malware-apps.html
The above summary has been generated by an AI language model
Leave a Reply