Trend Micro researchers Ecular Xu and Joseph C Chen recently discovered three malicious applications in Google Play. They are not the first malicious Google Play apps to be found. In the past, others have been detected that were designed primarily to steal data, whether banking data or a victim’s other personal data.
Two of these applications make it possible to take and edit photographs, while the third is a file manager for Android.
Applications published in Google Play
It is not unheard of to find malware available in the official Google store, masquerading as legitimate applications. However, what makes these three applications special is that they exploit an Android vulnerability to obtain root privileges on a device.
Thanks to this vulnerability, these applications manage to take full control of the infected device, which allows them to access all the data stored on it: Facebook, Gmail, photos, etc. And all this happens without the user being aware of it and without needing to request special permissions.
The vulnerability exploited by this Trojan is a bug in the Android 'Binder' component. This system element is responsible for implementing Inter-Process Communication (IPC). Essentially, the Android Binder enables the communication between processes within the same application. This way, an app can separate its functionality into different processes, which will allow it to improve its performance and its security, since each process will have reserved its own memory space.
This security bug has been identified with the code 'CVE-2019-2215'. The problem was detected in September 2019 by the Google Project Zero team, although the first report dates back to November 2017 and it was patched in February 2018. It was in November 2019 that Google researchers made it public and wrote a blog post describing the root of the problem.
The error is in the 'binder_thread' structure. This structure is used internally by the Binder module of the Android operating system to manage communications between processes. Specifically, the problem occurs because another system structure maintains a pointer to the 'wait' field of this structure, but does not invalidate the pointer when the instance of the structure is deleted and its memory released.
'binder_thread' structure containing the 'wait' field
If the pointer to the 'wait_queue_head_t' structure is not invalidated, it is possible to force the system to use that pointer, whose memory has been released and does not contain the original data. An attacker can force the reservation of that released memory area and store false information that is used as if it were the original information. With this false information it is possible to control the execution of the Binder module, which is executed with greater privileges than the application.
The applications detected in the official Google store take advantage of the vulnerability in the Android Binder to raise privileges and gain access to all of the device's data without the user having any way to realize it.
The 'Camero' and 'FileCrypt Manager' apps do not include malicious code. Instead, they act as 'droppers', which download and execute the malicious code contained in a DEX file. This downloaded code contains the second stage of the attack, which again consists of downloading malicious code. In this case, the third application published in Google Play, 'callCam', is downloaded, installed and launched.
Phases of the attack. Source: TrendMicro
During the investigation, it is the 'Camero' application that exploits the vulnerability to obtain 'root' permissions on the device through the DEX file downloaded from the control server. This downloaded code is responsible in turn for checking the device model and downloading the 'exploit' corresponding to that model.
Code responsible for checking the device model
The 'exploit' used by this Trojan is compatible only with the devices: Google Pixel (Pixel 2, Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881) and with Redmi 6A devices.
The 'FileCrypt Manager' application, however, does not download the DEX that checks the model and exploits the Binder's vulnerability. Instead, this app requests user accessibility permissions and shows false overlays so that the user clicks on the buttons necessary to install the 'callCam' application.
From that moment on, the 'callCam' application hides its icon and begins to collect data from the device, sending it to the control server. The data collected includes: location, battery status, installed applications, screenshots, information on configured Wi-Fi networks, and data from different installed apps, such as Gmail, Chrome, Facebook or Twitter, among others.
Here we have been able to observe how several malicious applications sneaked into the official Google store, which already poses a problem for users, who usually trust the applications downloaded from Google Play because they have been checked and accepted by Google.
Previously, other malicious applications had sneaked into Google Play. However, this time they were prepared to exploit a vulnerability in one of the components of the Android operating system, allowing them to obtain root permissions in the system, gaining total control of the device. This allows this malware to collect virtually any information stored on the device, including emails, photos, messages sent through social networks, etc.
Although in this case no evidence has been found that the Trojan has been used to steal banking data, the attackers would not need to make any major changes if they wanted it to do so. And thanks to the root permissions, they would not even have to employ the usual overlay techniques to display a phishing website when the user opens a legitimate bank app. They could access the data insecurely stored on the device, or even try to inject code into legitimate applications..
If you want to know more about how buguroo can help you protect your customers against such attacks, please contact us.