callCam

Description

(Trend Micro) The apps Camero and FileCrypt Manger act as droppers. After downloading the extra DEX file from the C&C server, the second-layer droppers invoke extra code to download, install, and launch the callCam app on the device.

The app callCam hides its icon on the device after being launched. It collects the following information and sends it back to the C&C server in the background:

• Location • Battery status • Files on device • Installed app list • Device information • Sensor information • Camera information • Screenshot • Account • Wifi information • Data of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome

The app encrypts all stolen data using RSA and AES encryption algorithms. It uses SHA256 to verify data integrity and customize the encoding routine. When encrypting, it creates a block of data we named headData. This block contains the first 9 bytes of origin data, origin data length, random AES IV, the RSA-encrypted AES encrypt key, and the SHA256 value of AES-encrypted origin data. Then the headData is encoded through the customized routine. After the encoding, it is stored in the head of the final encrypted file followed by the data of the AES-encrypted original data.

Names

Name
callCam

Type

Reconnaissance
Backdoor
Info stealer
Exfiltration

Information

https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/

Other Information

Uuid

c5e4e318-c0f6-4b6e-b74b-935daae939ee

Last Card Change

2020-04-29

Threat Intelligence Garden

Explorer

callCam

callCam

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks