Wandera’s threat research team has discovered an app with malicious functionality on the Google Play Store. The app – which is scary in more ways than one – is a horror video game called “Scary Granny ZOMBYE Mod: The Horror Game 2019” with over 50,000 downloads. Note: this game was removed from the Play Store on June 27 in response to our research.
This is what our analysis found:
The application uses a time-release functionality – so malicious behavior is not apparent immediately, perhaps to avoid raising suspicion. In some cases during our testing, the app would function for two days before the malicious activity was initiated. The app also targets victims depending on the operating system version their device is running. In our testing, we discovered that if the game is played on a device with the latest Android OS, it doesn’t exhibit malicious behavior, but on older versions it does.
Once installed, the app triggers a persistent phishing attack on the victim’s device. First, it displays a notification telling the user to update Google security services. When the user hits ‘update’, a fake Google login page is presented, which is very convincing other than the fact ‘sign in’ is spelled incorrectly. From here, the app tries to steal the victim’s Google username and password.
The app also exhibits behavior consistent with adware – launching itself, and overlaying the full-screen Google phishing page even outside of the app and even after the device is restarted.
The app asks for the run at startup or ‘RECEIVE_BOOT_COMPLETED’ Android permission which allows the app to launch itself when the device is rebooted. This means there is no easy way for the user to avoid the full-screen overlays that the app is commanding, including this Google phishing page. According to one review on the Google Play Store, a user had to replace his device after downloading the app.
Once the app has tricked the user into entering their Google credentials, the app then scrapes the user’s Google account for additional information including:
- Recovery emails
- Recovery phone numbers
- Verification codes
- Cookies and tokens
By inspecting the network traffic we were able to see that the app establishes a connection with Google by logging in to the user’s account with the app’s inbuilt browser. We could see the user information including cookies and session identifier being gathered and shipped off to the attacker without the user knowing. This is a proof point that this attack goes beyond typical credential theft that usually happens via social engineering.
The app does this account scraping by using obfuscated classes within the package with the name ‘com.googles.android.gms’ which closely resembles the name of the legitimate Google package ‘com.google.android.gms’.
In addition to this Google package, there is a Facebook package that is called ‘com.facebook.core’ which, upon examination of the app code, appears to have similar functionality. It can log in with phished Facebook credentials and steal the user’s account and cookie information. We haven’t seen this is our testing yet but the malicious functionality is embedded in the app.
The persistent ads are displayed as an overlay activity called ‘overactivity’ in the decompiled code and they can mimic ads from other applications. In our analysis, we could see that when viewing all the open apps on the device, it appeared there were apps open including Facebook and Amazon but these were actually ads that the Scary Granny app had opened and disguised as legitimate applications. Other applications the app is able to mimic when displaying ads include:
- Facebook Lite
Our threat research team is continuing to investigate these ads. We have reason to believe they are trying to make the user download further malicious apps. In one example, the ad directs the user to a page which Google blocked, flagging it as being deceptive, which suggests it hosts malware or a phishing attack.
The app profits in two main ways: by trying to get the user to pay for the app, and by using ad networks. Upon installation, the game asks the user to pay for the game or to do a free trial. When the user selects the free trial the app loads a pre-populated PayPal payment page for £18 ($22).
The app also connects to an ad network via a package called ‘com.coread.adsdkandroid2019’ which displays the ads mentioned above in an effort to drive profit and inflict further damage to the device. Note: Research into the ad networks is still in progress.
We analyzed two versions of this app. The first one was constantly crashing and was basically unusable due to the persistent phishing page being displayed over any app including over the game and even after a device reboot. We were also able to see within the code that the app had the ability to steal Google and Facebook account data but it wasn’t making these transactions due to the constant crashing. The new version of the app doesn’t seem to have these issues. We were able to play the game for a couple of days in some cases before any ads were displayed.
With over 50,000 installations and a 4-star review, the game clearly has some appeal. When our research commenced the app had just over 1,000 downloads and within three weeks that number jumped to 50,000. During our research, we played the game and unlike some malware – embedded in apps with terrible user experience and very basic interface – the app actually works! The developers have clearly gone to a lot of effort to create a fully functioning game in which you, the main player, are in a house running away from zombies and trying to find extra life and weapons.
Despite the Google Play Store’s rigorous security checks, this app that has a shocking number of malicious functions has made it through. Perhaps by using time-released malicious behavior, by using package names that closely resemble legitimate ones, and by being a fully functioning game, the game evaded suspicion and known red flags.
What can you take away from this scary story? Always do your own security vetting and don’t blindly trust apps on the official app stores.