We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android). This is the first known active attack in the wild that uses the use-after-free vulnerability. Interestingly, upon further investigation we also found that the three apps are likely to be part of the SideWinder threat actor group’s arsenal. SideWinder, a group that has been active since 2012, is a known threat and has reportedly targeted military entities’ Windows machines.