3 Google Play Store Apps Exploit Android Zero-Day Used by NSO Group

Category	Details
Threat Actors	SideWinder APT, an Indian espionage group targeting organizations linked to the Pakistani military.
Campaign Overview	Use of malicious Android apps (Camero, FileCrypt, and callCam) to exploit vulnerabilities, root devices, and exfiltrate sensitive user data for espionage.
Target Regions (Victims)	Android users worldwide, with a focus on individuals and organizations of interest to SideWinder APT.
Methodology	Exploiting CVE-2019-2215 (use-after-free vulnerability) and MediaTek-SU driver flaws, using apps as droppers to install spyware, employing obfuscation and encryption for evasion, and hiding app icons to remain undetected.
Product Targeted	Android devices, specifically apps like WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, Chrome, and general device data.
Malware Reference	Camero, FileCrypt, and callCam apps.
Tools Used	Droppers (Camero, FileCrypt), spyware payload (callCam), privilege escalation via CVE-2019-2215, dynamic code invocation, and obfuscation techniques.
Vulnerabilities Exploited	CVE-2019-2215 (local privilege escalation) and MediaTek-SU driver vulnerability for persistent root access.
TTPs	- Deploying spyware through fake apps. - Exploiting privilege escalation vulnerabilities. - Data exfiltration via C&C servers. - Hiding app icons for stealth.
Attribution	SideWinder APT, attributed based on overlap in the location of command-and-control servers and historical targeting of Pakistani military-linked organizations.
Recommendations	- Keep devices and apps up-to-date. - Avoid downloading apps from unfamiliar sources. - Review app permissions before installation. - Back up data regularly. - Install reputable antivirus software. - Stay cautious of apps on Google Play Store.
Source	The Hackers News

Read full article: https://thehackernews.com/2020/01/android-zero-day-malware-apps.html

The above summary has been generated by an AI language model