Analyzing FlappyBird: How Codenomicon's AppCheck saved my Android

Introduction

Early last year, an article was published in ZDNET [1] summarizing the rise of Android phones in the mobile world showing statistics that to date, Android is the number one and most used platform on smartphones. This has led not only to the rise of the platform but also the rise of malware and cyber criminals taking advantage of this to enhance their criminal operations and profiteering from it. While scamming is an age old criminal tactic, it has also been heavily utilized and engineered for the cyber world aiming at clueless and gullible people who download anything that is famous and free. This paper aims to share about the famous Flappy Bird game application in Android and how its fame was used by opportunists to spread malware and how a dynamic analysis of both the genuine and fake application allow analysts and organizations to understand what it does and how organizations can prevent it on their smartphones.

FlappyBird in the Media

Everyone have heard of this Flappy Bird [2] game. It was created and designed by Dong Nguyen, a Vietnam based developer and published by .GEARS studios [3]. Release in May 2013 and rise to popularity in early 2014, Flappy Bird was downloaded by an estimated amount of 50 million times and making an average amount of $50,000 a day [4]. But its fame comes with a price as the game was heavily criticized for both its design and its difficulty [5] which later it was stopped and removed from the application store by the developer himself [6]. It was during this ‘cut-off’ period that other developers also wanted to have a piece of the cake, developing clones of the software, taking advantage of the situation and gamers. This also led to opportunists developing its own Flappy Bird containing malware as reported by McAfee that almost 79% of Flappy Bird clones were riddled with Malware [7].

Intention of this Article

In this paper, I will illustrate, with the help of AppCheck to analyze the genuine and malware-ridden Flappy Bird (apk file) and perform additional manual analysis to differentiate what they do and how it impacts the Android users even before installing it on the smartphone. I will also explore the differences of permissions used as well as the behavior of the applications when performed dynamic analysis so that we are transparent of what the application was intended when it was created.

The Analysis

In this analysis, I downloaded and used 2 APK files downloaded from the following: 

1)  Genuine: http://www.wandoujia.com/apps/com.dotgears.flappybird

2)  Malware Ridden: http://androidmalwaredump.blogspot.sg/2014_02_01_archive.html

The AppCheck Interface

Analyzing the Details of the Application via AppCheck

Analyzing the Certificate Details

Findings: Using third party tools to analyze the certificates, the fake application’s cert is shown to use a freeware email provider as its owner name. The MD5 checksum for the genuine application remains consistent to the other Flappy Bird application provided by trusted source like Google Play, however, the fake Flappy Bird has different checksum and certificate details. This observation proves the multiple clones of malicious Flappy Bird application.

Analyzing the Android Permission via AppCheck

Findings: Looking at the genuine game application, the permissions were pretty standard for most gaming application making use of the ‘Wake_Lock’, ‘Internet’ and ‘Access_Network_State’, however, the permissions for the Malware-Ridden application are using additional activities besides the one used in the genuine application. They are ‘Send_SMS’, ‘System_Alert_Window’, ‘Read_SMS’ and ‘Receive_SMS’. One surely question why the additional activities are required for such a harmless gaming application.

Analyzing the Stats via AppCheck

Findings: There were no information for the genuine application. For the Malware-Ridden application, 2 unique domains were contacted. There are

1)  www.wap4android.info

2)  www.Serviceappsite.com

Browsing to the respective sites, we get the following results:

For wap4android.info

For serviceappsite.com

Using Scamadviser.com to check for the genuinity of the website, the following results were seen:

For wap4android.info

For serviceappsite.com

Findings: The 2 websites that was found by AppCheck seemed to be unable to access and one stated as ‘Account Suspended’. Based on the scamadviser.com, the registrant of the wap4android.info seemed to be suspicious with its address to be non-existent and the owner name as gibberish.

Network Events via AppCheck

There were no network events or activity found from the genuine application. For the malware-ridden application, there were a few findings.

In this analysis, I shall focus only the following as highlighted.

Below is the detailed finding captured from the network analysis via AppCheck:

Findings: As shown here, during the installation of the application, the application tried to contact the domain ‘serviceappsite.com’ with a GET request of the url ‘/services/payment.php’. If this application is meant to be free, then why would it contact a website with such a url suspicious of asking for payment?

Sophos Take on Flappy

Andras Mendik from SophosLabs wrote an article detailing the process of the installation result for both the genuine and fake application [8]. It shows clearly how the application make use of the SMS to exploit user ignorance and allowed them to profit from it.

The Malicious Flappy Bird in Action*

Below screenshots detailed how the malicious application exploit on the SMS application.

Processes*:

1) FlappyBird Fig 1: The imposter pretends to be a trial version that has expired; all you need to do is send an SMS to reactivate it

2) FlappyBird Fig 2: That's a premium-rate SMS account, and you do get a warning - most users, we assume, will be rightly suspicious by now

3) FlappyBird Fig 3: If you decide not to send the SMS and not to use the app, it offers to exit, as you might expect

4) FlappyBird Fig 4: But it doesn't exit at all. The app screen disappears, but the software keeps running in the background, as you will see if you click "Yes" to exit and then go to the list of recent apps

*(Credits to Sophos for the Flappy Bird screenshots and processes)

Conclusion

With thousands of applications being created every day, organizations and developers must find a way to address such potential issues before being installed or deployed in critical organizations. It could be in a form of mobile application or other binary format, provided or downloaded from third party sites. While AppCheck is used to find known vulnerabilities and not a product to check for infections or Malware, this paper demonstrates how AppCheck can be used to analyze the behavior of the application and analysts can detect suspicious behavior and flag unintended activities that are used in malware. 

For more information on Codenomicon and AppCheck, click on the image to visit: 

References

1) http://www.zdnet.com/article/smartphone-operating-systems-the-rise-of-android-the-fall-of-windows/

2) http://flappybird.io/

3) http://en.wikipedia.org/wiki/Flappy_Bird

4) http://www.businessinsider.sg/splashy-fish-creator-says-how-big-his-flappy-bird-clone-is-2014-2

5) http://www.ign.com/articles/2014/02/08/flappy-bird-review

6) http://news.yahoo.com/real-reason-flappy-bird-removed-113009222.html

7) http://www.pcmag.com/article2/0,2817,2459981,00.asp

8) https://nakedsecurity.sophos.com/2014/02/11/flappy-bird-really-is-dead-beware-of-infected-fakes-that-promise-to-keep-him-alive/