An Android horror game was found stealing the Facebook and Google credentials of its users, along with performing other malicious activities. Google took down the game on June 27, but not before it managed to log over 50,000 downloads.
The application was called Scary Granny ZOMBYE Mod: The Horror Game 2019, which rides on the popularity of a similarly named horror game called Granny. It avoids immediate suspicion by acting as a normal game the first two days upon installation, before starting its malicious activities.
One of its initial actions is a phishing tactic to collect the user’s Google credentials. It notifies users to update Google Play services only to subsequently display a fake login page. The login page contains the usual indication of a phishing page in its misspelling of the “sign in.”
After collecting the credentials, the app will then log into the user’s Google account using a built-in browser and an obfuscated package. The obfuscated package is named to resemble a legitimate Android app. For example, it used com.googles.android.gms, which is similar to the legitimate Google package com.google.android.gms. It also used a Facebook package called com.facebook.core, which appears to have the same function as the Google package.
After successfully logging in, the app will collect further information such as the user’s recovery email address, birthday, verification codes, recovery phone numbers, cookies, and tokens.
Aside from stealing user credentials, the app also displays persistent ads. It disguises ads as legitimate and well-known applications, wherein they appear as open apps. A closer inspection reveals that they're actual ads opened by the malicious app.
The ads are part of the profit scheme of this app, which also asks users to pay US$22 for the game.
The app employs persistence tactics that would make it difficult for users to remove. It can launch itself and overlay the fake Google Sign In page even when the device is restarted.
The game does this by asking permission to run at startup, which will allow it to run even when the device is rebooted.
Researchers from Wandera, who discovered this malicious app, noted that the malicious activity described above only worked on older versions of the Android OS.
The researchers also pointed out how it behaved as a normal game, free of malicious activity, if launched in the latest Android OS. This means its developers spent time to create an actual working game, justifying how they can convince users to pay for the game itself. Ultimately, the app manages to hide several other tricks behind its horror game exterior.
It employs a combination of familiar schemes to gain the most profit, exemplifying how longstanding methods like phishing remain a mainstay in the mobile threat landscape. The app also showed how such campaigns use other schemes like ad fraud as a secondary way to make a profit.
Trend Micro Mobile Security Solutions
End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (available on Google Play), and Trend Micro™ Mobile Security for Apple devices. Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that exploit vulnerabilities, preventing unauthorized access to apps as well as detecting and blocking malware and fraudulent websites.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.