Maddie Stone published technical details and a proof-of-concept exploit for the high-severity security vulnerability, seven days after she reported it to the colleagues of the Android security team.
The flaw is a use-after-free vulnerability that affects the Android kernel’s binder driver, it could be exploited by a local privileged attacker or a malicious app to escalate privileges to gain root access to a vulnerable device. Experts warn it could potentially allow to fully compromise the device.
The flaw affects versions of Android kernel released before April last year. This vulnerability was addressed in Dec 2017 in the 4.14 LTS kernel , AOSP android 3.18 kernel , AOSP android 4.4 kernel , and AOSP android 4.9 kernel . The expert pointed out that Pixel 2 with most recent security bulletin is still vulnerable based on source code review.
This means that most of the Android devices available on the market with the unpatched kernel are still vulnerable to this vulnerability, even is the owners have installed the latest Android security updates.
Some of the devices which appear to be vulnerable based on source code review are:
1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
7) Moto Z3
8) Oreo LG phones (run according to )
9) Samsung S7, S8, S9
Maddie Stone explained that the flaw is accessible from inside the Chrome sandbox, the issue is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain. This means that a remote attacker could potentially exploit the flaw by chaining it with a Chrome rendering issue
In October, the researchers Grant Hernandez, a PhD candidate at the Florida Institute of Cyber Security at the University of Florida, has publicly disclosed a PoC exploit code for the CVE-2019-2215 vulnerability.
In October, Google released the October 2019 set of Android fixes that addressed the flaw.
“This credible evidence included the leads and details outlined above in the “Hunting the Bug” section, and how after a detailed review of kernel patches, all requirements perfectly aligned with one bug (and only one bug).” reads a blog post published by Stone.
“The examined information included marketing materials for this exploit, and that the exploit was used to install a version of Pegasus. With this evidence, we decided that although we did not have an exploit sample, the risk to users was too great to wait 90 days for a patch and disclosure, and thus reported this to Android under a 7-day deadline.”.
Security experts at Trend Micro discovered that at least three malicious apps were available in the official Google Play store since March 2019, The researchers pointed out that the apps are working together to compromise devices and collect user information, and one of them uses the CVE-2019-2215 exploits.
“We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information.” reads the analysis published by Trend Micro. “One of these apps, called
Interestingly, upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities’ Windows machines.
The three malicious apps were disguised as photography and file
The attackers install the payload app in two stages, it first downloads a DEX file from the C2 server, then the downloaded DEX file downloads an APK file and installs it after exploiting the device or employing accessibility.
“The apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the
In order to root the device, Camero retrieves a specific exploit from the C&C, it works on Pixel 2, Pixel 2 XL, Nokia 3 (TA-1032), LG V20 (LG-H990), Oppo F9 (CPH1881), and Redmi 6A devices. The researchers downloaded five exploits from the server, including CVE-2019-2215 and MediaTek-SU, that are used to achieve root privileges before installing
The FileCrypt Manager, on the other hand, asks the user to enable the accessibility permission, then shows a full-screen window that says it needs further setup steps. The window is used to hide malicious activity, the malicious code installs
Additional technical details, including the Indicators of Compromise, are reported in the analysis published by Trend Micro.