Recent mobile gaming sensation "Flappy Bird" did more than just frustrate millions of players with its old-school difficulty while charming them with it throwback graphics. It also caught the attention of many malware creators, who saw an opportunity to create knockoffs that imitated the game's look and feel but housed malware.
Some "Flappy Bird" imitators house chargeware
Once "Flappy Bird" creator Dong Nguyen removed the game from the Apple App Store and Google Play in early February, a host of would-be replacements emerged, ranging from stylistically similar offerings such as "Ironpants" to blatant copies that completely mirrored the original. Trend Micro researchers discovered the latter category of apps, all of which request additional device permissions.
On Android, the original "Flappy Bird" only requests full network access (so that it can serve ads) and the ability to prevent the phone screen from going to sleep during gameplay. In contrast, the malicious carbon-copies ask for the ability to read and write text messages, so that it can send SMS to premium numbers. These scams rack-up unwanted charges on users' phone bills. It also wants permission to view bookmarks and history, draw over other apps and access various system tools.
The proliferation of malicious "Flappy Bird" imitators underscores how seemingly innocuous mobile apps can house hidden risks. While the original "Flappy Bird" was pretty transparent as free games go – it requested only two permissions, compared to properties such as Angry Birds that strangely request the ability to read phone calls – app stores are full of software that leaks data and may conduct unwanted background activity. For cybercriminals, the untimely demise of a popular game is an opportunity to dress this type of functionality up as something legitimate.
"We can expect to see a phenomenon like Flappy Bird being used as bait in any number of scams and attacks," stated Trend Micro director of security research Rik Ferguson. "[That could] range from spam, social media attacks through Facebook or Twitter [to] Trojanized apps and malicious downloads."
There are a number of deviations in the imposter version. It pretends to have a trial period, after which it tells users that it can be reactivated simply by sending a text message to a premium-rate SMS account. The app also has an "Are you sure…?" exit prompt not found in the original game; even if the user confirms, the app continues to run in the background and can be found in the recent apps display.
Downloading apps from outside Google Play: Not recommended
Issues with imposter apps also demonstrate how security best practices for PCs and Macs are applicable to mobile endpoints. For example, Android users can still download apps from unofficial sources, which is not recommended since these pieces of software probably haven't undergone the automatic malware scans that all Google Play apps are subject to prior to going live.
Operating systems such as Apple's OS X and Microsoft's Windows 8 already steer users to their official app stores, although the option to download from unknown sources still exists. Similarly, on most Android devices shipped with Google services, the default setting is to only allow downloads from the Google Play, although there's still a number of older smartphones and tablets that may have different configurations.
Users may opt to enable the "Unknown Sources" setting, which allows a device to download an APK file from anywhere, to get back access to discontinued apps such as "Flappy Bird." But, as the chargeware incident demonstrates, doing so is risky business since many unvetted apps grant themselves extensive permissions and may attempt to take over the device.
One of the biggest risks is any app that pretends to be a system app. At a recent Black Hat conference, security researchers demonstrated that it's not hard to create software that closely imitates built-in Android services, which generally have access to most aspects of the device. For example, Google Play Services has numerous permissions and can grant itself additional ones without asking for the user's consent. If malware were to do the same and then be downloaded via an unofficial channel, it could essentially take over the device, stealing all passwords and stored data while being able to send out arbitrary messages.
"The risk is when users install applications from third-party websites," Sophos security advisor Chester Wisniewski told NBC News. "This practice is always dangerous, this just makes it extra difficult to determine if an app has been tampered with. It should be assumed that an app has been tampered with anytime it is acquired from a source other than the original manufacturer or the Play Store."
Even legitimate apps from Google Play can contain unseen risks
Disabling the "Unknown Sources" setting is the best way to avoid the most risky applications, but doing so doesn't necessarily put users in the clear. Legitimate apps may still contain risks.
The travel app Trapster is a good example. It allows users to report on speed traps, road hazards, accidents and red light cameras. However, it has a loophole that allows any user to be tracked. The "patrol lines" feature shows users who are traveling and haven't reported any incidents yet, but if the observer recognizes the user name then it's possible to track individuals for hours at a time.
Trapster truncates the trajectories by 500 meters at the start and finish so as to hide sensitive locations such as homes or workplaces. Still, the app doesn't give users the option to opt-out of patrol lines tracking.
The effects of imposter apps like Flappy Bird clones, as well as the vulnerabilities of legitimate ones like Trapster, make the case that users should pay more attention to what applications ask for from the user, and why they do so. Clearing the air would be a good way to educate users about the risks they need to look out for when using mobile apps.