Discovery Of A Spy Trojan That Exploits The Android Binder Vulnerability

Discovery Of A Spy Trojan That Exploits The Android Binder Vulnerability

Jorge M. Taboada

Digital Marketing Manager at buguroo

Views 599

Discovery Of A Spy Trojan That Exploits The Android Binder Vulnerability

14.01.2020 11:30 am

Trend Micro researchers Ecular Xu and Joseph C Chen recently discovered three malicious applications in Google Play. They are not the first malicious Google Play apps to be found. In the past, others have been detected that were designed primarily to steal data, whether banking data or a victim’s other personal data.

Two of these applications make it possible to take and edit photographs, while the third is a file manager for Android.

Applications published in Google Play

It is not unheard of to find malware available in the official Google store, masquerading as legitimate applications. However, what makes these three applications special is that they exploit an Android vulnerability to obtain root privileges on a device.

Thanks to this vulnerability, these applications manage to take full control of the infected device, which allows them to access all the data stored on it: Facebook, Gmail, photos, etc. And all this happens without the user being aware of it and without needing to request special permissions.


Android Binder Vulnerability

The vulnerability exploited by this Trojan is a bug in the Android 'Binder' component. This system element is responsible for implementing Inter-Process Communication (IPC). Essentially, the Android Binder enables the communication between processes within the same application. This way, an app can separate its functionality into different processes, which will allow it to improve its performance and its security, since each process will have reserved its own memory space.

This security bug has been identified with the code 'CVE-2019-2215'. The problem was detected in September 2019 by the Google Project Zero team, although the first report dates back to November 2017 and it was patched in February 2018. It was in November 2019 that Google researchers made it public and wrote a blog post describing the root of the problem.

The error is in the 'binder_thread' structure. This structure is used internally by the Binder module of the Android operating system to manage communications between processes. Specifically, the problem occurs because another system structure maintains a pointer to the 'wait' field of this structure, but does not invalidate the pointer when the instance of the structure is deleted and its memory released.

binder_thread' structure containing the 'wait' field

If the pointer to the 'wait_queue_head_t' structure is not invalidated, it is possible to force the system to use that pointer, whose memory has been released and does not contain the original data. An attacker can force the reservation of that released memory area and store false information that is used as if it were the original information. With this false information it is possible to control the execution of the Binder module, which is executed with greater privileges than the application.


Malicious applications


The applications detected in the official Google store take advantage of the vulnerability in the Android Binder to raise privileges and gain access to all of the device's data without the user having any way to realize it.

The 'Camero' and 'FileCrypt Manager' apps do not include malicious code. Instead, they act as 'droppers', which download and execute the malicious code contained in a DEX file. This downloaded code contains the second stage of the attack, which again consists of downloading malicious code. In this case, the third application published in Google Play, 'callCam', is downloaded, installed and launched.

Phases of the attack. Source: TrendMicro

During the investigation, it is the 'Camero' application that exploits the vulnerability to obtain 'root' permissions on the device through the DEX file downloaded from the control server. This downloaded code is responsible in turn for checking the device model and downloading the 'exploit' corresponding to that model.

Code responsible for checking the device model

The 'exploit' used by this Trojan is compatible only with the devices: Google Pixel (Pixel 2, Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881) and with Redmi 6A devices.

The 'FileCrypt Manager' application, however, does not download the DEX that checks the model and exploits the Binder's vulnerability. Instead, this app requests user accessibility permissions and shows false overlays so that the user clicks on the buttons necessary to install the 'callCam' application.

From that moment on, the 'callCam' application hides its icon and begins to collect data from the device, sending it to the control server. The data collected includes: location, battery status, installed applications, screenshots, information on configured Wi-Fi networks, and data from different installed apps, such as Gmail, Chrome, Facebook or Twitter, among others.




Here we have been able to observe how several malicious applications sneaked into the official Google store, which already poses a problem for users, who usually trust the applications downloaded from Google Play because they have been checked and accepted by Google.

Previously, other malicious applications had sneaked into Google Play. However, this time they were prepared to exploit a vulnerability in one of the components of the Android operating system, allowing them to obtain root permissions in the system, gaining total control of the device. This allows this malware to collect virtually any information stored on the device, including emails, photos, messages sent through social networks, etc.

Although in this case no evidence has been found that the Trojan has been used to steal banking data, the attackers would not need to make any major changes if they wanted it to do so. And thanks to the root permissions, they would not even have to employ the usual overlay techniques to display a phishing website when the user opens a legitimate bank app. They could access the data insecurely stored on the device, or even try to inject code into legitimate applications..

If you want to know more about how buguroo can help you protect your customers against such attacks, please contact us.


Latest blogs

Nish Kotecha Finboot and Bryan Foss, NED, Visiting Professor at Bristol Business School and member of the FRC Audit & Assurance Council

How Listed Companies Can Use Blockchain to Prevent Auditing and Reporting Malpractice and Avoid Scandal

Not too long ago, there was very little to link Wirecard, the disgraced payments platform in Aschheim, Germany, with Boohoo, the fast-fashion online retailer in Leicester, England, but both have recently been embroiled in high-profile scandals. Read more »

Leon Muis Yolt Technology Services

The Time for Financial Services to Become Truly Digital is Now

The financial services industry looks set to change dramatically over the next couple of years in response to COVID-19. The pandemic has certainly highlighted some inefficiencies and weak spots in current processes for many businesses, such as those Read more »

Granville Turner Turner Little

The Lockdown Money Revolution

Many Brits have found that lockdown has been beneficial for their money, having cut back on personal spending and managing to put away some extra cash. According to eToro, Brits with unspent discretionary income are set to accumulate £75.5bn in Read more »

Sandra Higgins Sysnet Global Solutions

Are You ‘Prescribing’ the Right Security Solution to Your Merchants?

When it comes to leading a healthy lifestyle, eating the right food, taking regular exercise, and maintaining a positive mindset are key. However, despite these best intentions and practices, you still might not get all the nutrients your body needs Read more »

Robert Flowers DivideBuy

It Doesn’t Have to Be the End – How Retailers Can Grow in Light of COVID-19

It’s no news that the retail industry has been flipped on its head by the COVID-19 pandemic. Due to the lockdown, most in-store operations have been shut down, and nationwide furloughs, reduced pay and steady streams of income at risk have fuelled a Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel