• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Cloud   »   Android users at risk from unapproved imposter apps

Android users at risk from unapproved imposter apps

  • Posted on:February 26, 2014
  • Posted in:Cloud, Industry News, Privacy & Policy, Vulnerabilities & Exploits
  • Posted by:
    Trend Micro
0

Recent mobile gaming sensation "Flappy Bird" did more than just frustrate millions of players with its old-school difficulty while charming them with it throwback graphics. It also caught the attention of many malware creators, who saw an opportunity to create knockoffs that imitated the game's look and feel but housed malware.

Some "Flappy Bird" imitators house chargeware
Once "Flappy Bird" creator Dong Nguyen removed the game from the Apple App Store and Google Play in early February, a host of would-be replacements emerged, ranging from stylistically similar offerings such as "Ironpants" to blatant copies that completely mirrored the original. Trend Micro researchers discovered the latter category of apps, all of which request additional device permissions.

On Android, the original "Flappy Bird" only requests full network access (so that it can serve ads) and the ability to prevent the phone screen from going to sleep during gameplay. In contrast, the malicious carbon-copies ask for the ability to read and write text messages, so that it can send SMS to premium numbers. These scams rack-up unwanted charges on users' phone bills. It also wants permission to view bookmarks and history, draw over other apps and access various system tools.

The proliferation of malicious "Flappy Bird" imitators underscores how seemingly innocuous mobile apps can house hidden risks. While the original "Flappy Bird" was pretty transparent as free games go – it requested only two permissions, compared to properties such as Angry Birds that strangely request the ability to read phone calls – app stores are full of software that leaks data and may conduct unwanted background activity. For cybercriminals, the untimely demise of a popular game is an opportunity to dress this type of functionality up as something legitimate.

"We can expect to see a phenomenon like Flappy Bird being used as bait in any number of scams and attacks," stated Trend Micro director of security research Rik Ferguson. "[That could] range from spam, social media attacks through Facebook or Twitter [to] Trojanized apps and malicious downloads."

There are a number of deviations in the imposter version. It pretends to have a trial period, after which it tells users that it can be reactivated simply by sending a text message to a premium-rate SMS account. The app also has an "Are you sure…?" exit prompt not found in the original game; even if the user confirms, the app continues to run in the background and can be found in the recent apps display.

Downloading apps from outside Google Play: Not recommended
Issues with imposter apps also demonstrate how security best practices for PCs and Macs are applicable to mobile endpoints. For example, Android users can still download apps from unofficial sources, which is not recommended since these pieces of software probably haven't undergone the automatic malware scans that all Google Play apps are subject to prior to going live.

Operating systems such as Apple's OS X and Microsoft's Windows 8 already steer users to their official app stores, although the option to download from unknown sources still exists. Similarly, on most Android devices shipped with Google services, the default setting is to only allow downloads from the Google Play, although there's still a number of older smartphones and tablets that may have different configurations.

Users may opt to enable the "Unknown Sources" setting, which allows a device to download an APK file from anywhere, to get back access to discontinued apps such as "Flappy Bird." But, as the chargeware incident demonstrates, doing so is risky business since many unvetted apps grant themselves extensive permissions and may attempt to take over the device.

One of the biggest risks is any app that pretends to be a system app. At a recent Black Hat conference, security researchers demonstrated that it's not hard to create software that closely imitates built-in Android services, which generally have access to most aspects of the device. For example, Google Play Services has numerous permissions and can grant itself additional ones without asking for the user's consent. If malware were to do the same and then be downloaded via an unofficial channel, it could essentially take over the device, stealing all passwords and stored data while being able to send out arbitrary messages.

"The risk is when users install applications from third-party websites," Sophos security advisor Chester Wisniewski told NBC News. "This practice is always dangerous, this just makes it extra difficult to determine if an app has been tampered with. It should be assumed that an app has been tampered with anytime it is acquired from a source other than the original manufacturer or the Play Store."

Even legitimate apps from Google Play can contain unseen risks
Disabling the "Unknown Sources" setting is the best way to avoid the most risky applications, but doing so doesn't necessarily put users in the clear. Legitimate apps may still contain risks.

The travel app Trapster is a good example. It allows users to report on speed traps, road hazards, accidents and red light cameras. However, it has a loophole that allows any user to be tracked. The "patrol lines" feature shows users who are traveling and haven't reported any incidents yet, but if the observer recognizes the user name then it's possible to track individuals for hours at a time.

Trapster truncates the trajectories by 500 meters at the start and finish so as to hide sensitive locations such as homes or workplaces. Still, the app doesn't give users the option to opt-out of patrol lines tracking.

The effects of imposter apps like Flappy Bird clones, as well as the vulnerabilities of legitimate ones like Trapster, make the case that users should pay more attention to what applications ask for from the user, and why they do so. Clearing the air would be a good way to educate users about the risks they need to look out for when using mobile apps.

Related posts:

  1. Android users beware: Hackers are up to dirty new tricks
  2. Fake mobile applications put users at risk: Spotting frauds and protecting data
  3. Fake mobile applications put users at risk: Spotting frauds and protecting data
  4. Leaky ad networks put mobile game players at risk

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.