SideWinder advanced persistent threat (APT) group, report Trend Micro’s Ecular Xu and Joseph Chen in a blog post. Sidewinder, a group detected by Kaspersky Labs in the first quarter of 2018, primarily targets Pakistani military infrastructure and has been active since at least 2012. Security researchers believe the threat group is associated with Indian espionage interests and has a history of targeting both Windows and Android devices.

SideWinder installs the payload app in two stages. It first downloads a DEX file (an Android file format) from
its command and control (C&C) server. We found that the group employs Apps Conversion Tracking to
configure the C&C server address. The address was encoded by Base64 then set to referrer parameter in the
URL used in the distribution of the malware.

Android apps Camero, Filecrypt Manager, and callCam are believed to be related to the SideWinder group and have been active on Google Play since March 2019, based on one of the apps’ certificate information. All have since been removed from the Play store.

IoCs:

webserv-redir.net 185.106.120.43
heartissuehigh.win 185.106.120.43
mail.webserv-redir.net 185.106.120.43
www.webserv-redir.net 185.106.120.43