Discovery Of A Spy Trojan That Exploits The Android Binder Vulnerability

Discovery Of A Spy Trojan That Exploits The Android Binder Vulnerability

Jorge M. Taboada

Digital Marketing Manager at buguroo

Views 222

Discovery Of A Spy Trojan That Exploits The Android Binder Vulnerability

14.01.2020 11:30 am

Trend Micro researchers Ecular Xu and Joseph C Chen recently discovered three malicious applications in Google Play. They are not the first malicious Google Play apps to be found. In the past, others have been detected that were designed primarily to steal data, whether banking data or a victim’s other personal data.

Two of these applications make it possible to take and edit photographs, while the third is a file manager for Android.

Applications published in Google Play

It is not unheard of to find malware available in the official Google store, masquerading as legitimate applications. However, what makes these three applications special is that they exploit an Android vulnerability to obtain root privileges on a device.

Thanks to this vulnerability, these applications manage to take full control of the infected device, which allows them to access all the data stored on it: Facebook, Gmail, photos, etc. And all this happens without the user being aware of it and without needing to request special permissions.

 

Android Binder Vulnerability


The vulnerability exploited by this Trojan is a bug in the Android 'Binder' component. This system element is responsible for implementing Inter-Process Communication (IPC). Essentially, the Android Binder enables the communication between processes within the same application. This way, an app can separate its functionality into different processes, which will allow it to improve its performance and its security, since each process will have reserved its own memory space.

This security bug has been identified with the code 'CVE-2019-2215'. The problem was detected in September 2019 by the Google Project Zero team, although the first report dates back to November 2017 and it was patched in February 2018. It was in November 2019 that Google researchers made it public and wrote a blog post describing the root of the problem.

The error is in the 'binder_thread' structure. This structure is used internally by the Binder module of the Android operating system to manage communications between processes. Specifically, the problem occurs because another system structure maintains a pointer to the 'wait' field of this structure, but does not invalidate the pointer when the instance of the structure is deleted and its memory released.

binder_thread' structure containing the 'wait' field

If the pointer to the 'wait_queue_head_t' structure is not invalidated, it is possible to force the system to use that pointer, whose memory has been released and does not contain the original data. An attacker can force the reservation of that released memory area and store false information that is used as if it were the original information. With this false information it is possible to control the execution of the Binder module, which is executed with greater privileges than the application.

 

Malicious applications

 

The applications detected in the official Google store take advantage of the vulnerability in the Android Binder to raise privileges and gain access to all of the device's data without the user having any way to realize it.

The 'Camero' and 'FileCrypt Manager' apps do not include malicious code. Instead, they act as 'droppers', which download and execute the malicious code contained in a DEX file. This downloaded code contains the second stage of the attack, which again consists of downloading malicious code. In this case, the third application published in Google Play, 'callCam', is downloaded, installed and launched.

Phases of the attack. Source: TrendMicro

During the investigation, it is the 'Camero' application that exploits the vulnerability to obtain 'root' permissions on the device through the DEX file downloaded from the control server. This downloaded code is responsible in turn for checking the device model and downloading the 'exploit' corresponding to that model.

Code responsible for checking the device model

The 'exploit' used by this Trojan is compatible only with the devices: Google Pixel (Pixel 2, Pixel 2 XL), Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881) and with Redmi 6A devices.

The 'FileCrypt Manager' application, however, does not download the DEX that checks the model and exploits the Binder's vulnerability. Instead, this app requests user accessibility permissions and shows false overlays so that the user clicks on the buttons necessary to install the 'callCam' application.

From that moment on, the 'callCam' application hides its icon and begins to collect data from the device, sending it to the control server. The data collected includes: location, battery status, installed applications, screenshots, information on configured Wi-Fi networks, and data from different installed apps, such as Gmail, Chrome, Facebook or Twitter, among others.

 

Conclusions

 

Here we have been able to observe how several malicious applications sneaked into the official Google store, which already poses a problem for users, who usually trust the applications downloaded from Google Play because they have been checked and accepted by Google.

Previously, other malicious applications had sneaked into Google Play. However, this time they were prepared to exploit a vulnerability in one of the components of the Android operating system, allowing them to obtain root permissions in the system, gaining total control of the device. This allows this malware to collect virtually any information stored on the device, including emails, photos, messages sent through social networks, etc.

Although in this case no evidence has been found that the Trojan has been used to steal banking data, the attackers would not need to make any major changes if they wanted it to do so. And thanks to the root permissions, they would not even have to employ the usual overlay techniques to display a phishing website when the user opens a legitimate bank app. They could access the data insecurely stored on the device, or even try to inject code into legitimate applications..

If you want to know more about how buguroo can help you protect your customers against such attacks, please contact us.

 

Latest blogs

Rowland Park Limeglass Ltd

Financial Research Innovation: the Next Information Advantage

An information advantage has become one of the most important competitive edges in the financial markets today. Receiving the right data, faster than competitors, is a significant driver of performance. However, while firms invested over $50 billion Read more »

Hamza Khan Suburbia

The Race for Alternative Data

'Data is the new oil.’ It’s a dramatic statement – and certainly a contentious one. Just as one publication makes the case for it, another rubbishes the concept. The first argument points out that data is becoming the world’s most valuable resource Read more »

n/a n/a

4 things to consider when expanding your home business in L.A

Running a home business has many merits. The days of leaving the house at stupid o’ clock in a bid to avoid the busy Los Angeles rush hour traffic are a thing of the past. You are your own boss and can pretty much do as you please. If you are Read more »

Suresh Vaghjiani Tribe Payments

Comment on the news of VISA acquiring Plaid from Suresh Vaghjiani, CEO and Co-Founder of Tribe Payments

“VISA acquiring fintech behemoth Plaid shows established financial organisations have recognised the API-driven financial data sharing space has been underserved. In the post-Open Banking era, as banks and fintechs look to shift from transaction to Read more »

Lina Andolf-Orup Fingerprints

Finger on the Pulse! Waving goodbye to a big year for biometrics

After years of predictions and goals set for “2020”, it feels quite surreal to have finally welcomed in the year that once felt so futuristic. And what a pivotal decade the “teens” have been for the world of biometrics! But before we share our 2 Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel