Introduction
Early last year, an article was
published in ZDNET [1] summarizing the rise of Android phones in the mobile
world showing statistics that to date, Android is the number one and most used
platform on smartphones. This has led not only to the rise of the platform but
also the rise of malware and cyber criminals taking advantage of this to
enhance their criminal operations and profiteering from it. While scamming is
an age old criminal tactic, it has also been heavily utilized and engineered
for the cyber world aiming at clueless and gullible people who download anything
that is famous and free. This paper aims to share about the famous Flappy Bird
game application in Android and how its fame was used by opportunists to spread
malware and how a dynamic analysis of both the genuine and fake application
allow analysts and organizations to understand what it does and how
organizations can prevent it on their smartphones.
FlappyBird in the Media
Everyone have heard of this
Flappy Bird [2] game. It was created and designed by Dong Nguyen, a Vietnam
based developer and published by .GEARS studios [3]. Release in May 2013 and rise
to popularity in early 2014, Flappy Bird was downloaded by an estimated amount
of 50 million times and making an average amount of $50,000 a day [4]. But its
fame comes with a price as the game was heavily criticized for both its design
and its difficulty [5] which later it was stopped and removed from the
application store by the developer himself [6]. It was during this ‘cut-off’
period that other developers also wanted to have a piece of the cake, developing
clones of the software, taking advantage of the situation and gamers. This also
led to opportunists developing its own Flappy Bird containing malware as
reported by McAfee that almost 79% of Flappy Bird clones were riddled with
Malware [7].
Intention of this Article
In this paper, I will illustrate,
with the help of AppCheck to analyze the genuine and malware-ridden Flappy Bird
(apk file) and perform additional manual analysis to differentiate what they do
and how it impacts the Android users even before installing it on the
smartphone. I will also explore the differences of permissions used as well as
the behavior of the applications when performed dynamic analysis so that we are
transparent of what the application was intended when it was created.
The Analysis
In this analysis, I downloaded and used 2 APK files
downloaded from the following:
The AppCheck Interface
Analyzing the Details of the Application via AppCheck
Analyzing the Certificate Details
Findings: Using third party tools to analyze the
certificates, the fake application’s cert is shown to use a freeware email
provider as its owner name. The MD5 checksum for the genuine application
remains consistent to the other Flappy Bird application provided by trusted
source like Google Play, however, the fake Flappy Bird has different checksum
and certificate details. This observation proves the multiple clones of
malicious Flappy Bird application.
Analyzing the Android Permission via AppCheck
Findings: Looking at the genuine
game application, the permissions were pretty standard for most gaming
application making use of the ‘Wake_Lock’, ‘Internet’ and
‘Access_Network_State’, however, the permissions for the Malware-Ridden
application are using additional activities besides the one used in the genuine
application. They are ‘Send_SMS’, ‘System_Alert_Window’, ‘Read_SMS’ and
‘Receive_SMS’. One surely question why the additional activities are required for
such a harmless gaming application.
Analyzing the Stats via AppCheck
Findings: There were no information for the genuine
application. For the Malware-Ridden application, 2 unique domains were
contacted. There are
Browsing to the respective sites, we get the following
results:
For wap4android.info
For serviceappsite.com
Using Scamadviser.com to check for the genuinity of the
website, the following results were seen:
For wap4android.info
For serviceappsite.com
Findings: The 2 websites that was found by AppCheck seemed
to be unable to access and one stated as ‘Account Suspended’. Based on the
scamadviser.com, the registrant of the wap4android.info seemed to be suspicious
with its address to be non-existent and the owner name as gibberish.
Network Events via AppCheck
There were no network events or activity found from the
genuine application. For the malware-ridden application, there were a few
findings.
In this analysis, I shall focus only the following as
highlighted.
Below is the detailed finding captured from the network
analysis via AppCheck:
Findings: As shown here, during the installation of the
application, the application tried to contact the domain ‘serviceappsite.com’
with a GET request of the url ‘/services/payment.php’. If this application is
meant to be free, then why would it contact a website with such a url
suspicious of asking for payment?
Sophos Take on Flappy
Andras Mendik from SophosLabs wrote an article detailing the
process of the installation result for both the genuine and fake application
[8]. It shows clearly how the application make use of the SMS to exploit user
ignorance and allowed them to profit from it.
The Malicious Flappy Bird in Action*
Below screenshots detailed how the malicious application exploit
on the SMS application.
Processes*:
1) FlappyBird Fig 1: The imposter pretends to be a
trial version that has expired; all you need to do is send an SMS to reactivate
it
2) FlappyBird Fig 2: That's a premium-rate SMS
account, and you do get a warning - most users, we assume, will be rightly
suspicious by now
3) FlappyBird Fig 3: If you decide not to send the
SMS and not to use the app, it offers to exit, as you might expect
4) FlappyBird Fig 4: But it doesn't exit at all.
The app screen disappears, but the software keeps running in the background, as
you will see if you click "Yes" to exit and then go to the list of
recent apps
*(Credits to Sophos for the Flappy Bird screenshots and processes)
Conclusion
With thousands of applications
being created every day, organizations and developers must find a way to
address such potential issues before being installed or deployed in critical
organizations. It could be in a form of mobile application or other binary
format, provided or downloaded from third party sites. While AppCheck is used
to find known vulnerabilities and not a product to check for infections or
Malware, this paper demonstrates how AppCheck can be used to analyze the
behavior of the application and analysts can detect suspicious behavior and
flag unintended activities that are used in malware.
For more information on Codenomicon and AppCheck, click on the image to visit:
References