It's a pig-eat-pig world out there - at least on the mobile app threat front. Right after reports of malicious Bad Piggies on Google Chrome Web Store circulated, we found that certain developers also released their own, albeit rogue versions of the said gaming app.
On the heels of Bad Piggies' launch last month, we saw rogue versions of the game on specific web pages hosted on Russian domains. However, these versions are not affiliated at all with the game. Based on our analysis, these apps are verified as malicious, specifically premium service abusers, which send SMS messages without user consent and leaves users with unnecessary charges.
Slicing Through Malicious Bad Piggies Version During our research, we used the keyword "Bad Piggies" and encountered 48 Russian domains. Among these sites is piggies-{BLOCKED}d.ru, which appears as an app download page.
The said site offers the said app on different platforms. Instead of the actual Bad Piggies app, users instead download a malicious .APK file detected as ANDROIDOS_FAKEINST.A. Once installed, it creates a shortcut on the device’s homepage and sends SMS messages to specific numbers. As mentioned, these messages are sent without user consent and may cost users to pay extra for something they didn’t authorize.
According to Mobile security engineer Bob Pan, ANDROIDOS_FAKEINST.A has the ability to obfuscate its codes via inserting junk codes and encrypting the strings and decrypting it upon execution. It also replaces all class/method/field name with meaningless strings thus making analysis difficult.
The created shortcut also has a surprise of its own. When clicked, this leads users to a specific URL to download a browser update. This update is actually JAVA_SMSSEND.AB, which also sends unauthorized SMS messages to specific numbers. If you may recall, we previously saw this malicious midlet disguised as an installer for Skype.
Mobile App Launch Triggers User and Cyberciminal Interest As sly as these guys are, cybercriminals and other bad guys are sometimes creatures of habits. They will stick to certain formulas to ensure users will bite their dubious schemes. In this incident, the formula is app popularity plus media coverage equals more user interest. Bad Piggies is a spinoff of the highly popular Angry Bird franchise and its release enjoyed good coverage from popular media. Such is also the case with the malicious Instagram and Angry Birds Space we reported previously. Right after news of Instagram for Android and Facebook’s acquisition, we immediately saw malicious versions sprouting on the Internet. To victimize as many users as possible, shady developers and certain crooks created rogue versions to take advantage of these apps’ popularity and their media exposure.
Russian domains also appear to be the favorite among rogue apps developers. Beginning this year up to July, we already blocked more than 6,000 mobile app pages hosted on .RU domains. This is definitely an increase compared to last year’s 2,946 blocked sites. To lead users to these sites, the people behind these apps spread the links via forum, blog posts or email.
To prevent downloading a fake (or worse, a malware disguised as an app), users should stick to legitimate app stores like Google Play. They should also make it a habit to research about the app and the reputation of its developers. To know more about how to make your mobile experience safer, you may read our Digital Life e-Guide 5 Simple Steps to Secure Your Android-Based Smartphones.
Mobile users need not worry as they are protected by Trend Micro Mobile Security for Android, which detects and deletes the said rogue apps. Smart Protection Network™ also blocks access to the sites hosting these apps.