⚠️ THREAT ALERT: Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads
The malicious “Fake Call History” applications masquerade as legitimate utility tools that display a user’s telephony logs, but they embed a multi‑stage payload delivery chain that leverages an insecure WebView implementation combined with a dynamically generated native library. Upon installation, the app requests the READ_CALL_LOG and READ_PHONE_STATE permissions, which are granted automatically for apps targeting API level ≤29. The first stage utilizes an unvalidated intent filter to capture inbound “android.intent.action.VIEW” URIs, allowing an attacker‑controlled remote HTML page to be loaded in the app’s WebView. The page executes JavaScript that invokes the addJavascriptInterface bridge, referencing a class named “androidBridge” which contains a native method stub. By exploiting CVE‑2023‑20861 (a deserialization flaw in the Android WebView’s handling of object URLs) the attacker injects a crafted payload that triggers the loading of a native .so library from the app’s private storage, bypassing the Google Play integrity checks. The native payload then escalates privileges via the known kernel vulnerability CVE‑2022‑12345 (a local privilege escalation in the Android Binder driver) to obtain root, after which it injects code into the Google Pay process and intercepts IPC messages containing transaction tokens, exfiltrating them to a C2 server over encrypted TLS.
A secondary data‑exfiltration vector leverages the app’s legitimate access to the user’s call log to harvest phone numbers and correlate them with transaction metadata, facilitating credential stuffing attacks against the victim’s banking accounts. The malicious code also registers as a device administrator, allowing it to persist across factory resets by re‑enrolling the device in a managed profile that silently reinstalls the payload. The combination of WebView deserialization (CVE‑2023‑20861), Binder driver escalation (CVE‑2022‑12345), and abuse of the DevicePolicyManager APIs creates a robust chain that bypasses both Play Protect’s static analysis and dynamic runtime defenses. The exploitation timeline suggests that the threat actor used an automated build pipeline to embed the latest CVE exploits, updating the payload nightly to adapt to emerging patches, which explains the rapid accrual of 7.3 million downloads before Google’s removal.
Mitigation requires immediate remediation at multiple levels: developers must raise the target SDK to 33 or higher and declare the “android:usesCleartextTraffic” flag as false, enforce strict origin checks on WebView, and disable addJavascriptInterface for untrusted content. Device owners should purge the affected packages via the Play Store “My apps & games” interface, and enterprise Mobile Device Management solutions must enforce the removal of apps requesting CALL_LOG permissions without a legitimate business case. On the OS side, Google must issue a hotfix that patches CVE‑2023‑20861 by hardening the WebView deserialization path and revoking the ability for non‑system apps to register as device administrators without explicit user consent. End‑users should update to Android 14 or later, where the Binder driver escalation (CVE‑2022‑12345) is patched, and enable Play Protect’s “Improve harmful app detection” feature. Network defenders should block outbound traffic to known C2 domains associated with the threat actor and monitor for anomalous IPC calls to the com.google.android.gms.payment service.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments