According to researchers, a vulnerability in Anroid’s kernel is used by three apps from the Google Play Store to access a user’s phone. According to the researchers, the hacking group SideWinder is behind the apps.

The now removed Camero app would make use of the vulnerability CVE-2019-2215, which came to light in October 2019. The vulnerability has since been removed by means of an update, but Camero has been available for download in the Google Play Store since March of that year.

When Camero was installed, the vulnerability enabled it to download two other apps that collected various data. As the icon of the malicious apps disappeared immediately after installation, a user was unaware of the presence of a data-collection app on his or her phone.

TrendMicro suspects link with SideWinder

The control servers the apps contacted after installation were previously associated with the hack group SideWinder. Kaspersky researchers previously believed that the group mainly focused on Pakistani military groups. The group is also said to have recently used vulnerabilities in Microsoft Office to gain access to systems.

The apps have now been removed from the Google Play Store, but can still be found on phones. In its research, TrendMicro gives a number of indications, on the basis of which one can see whether a phone has been infected.