pixel_dreams - Fotolia
Mobile researchers at security firm Check Point found malware code dubbed “AdultSwine” hidden in 60 game apps, many of them intended for young gamers.
According to Google Play’s data, the affected apps have been downloaded between three million and seven million times – a stark warning that, at times, not even Google Play apps can be trusted.
Google removed the affected apps from the Google Play app store soon after Check Point reported the issue.
An investigation of the malware revealed that it is designed to carry out three actions:
- Display ads that are often highly inappropriate, adult-themed and pornographic.
- Scare users into installing fake “security apps”.
- Dupe the user into allowing the app to send premium SMS messages at the victim’s expense.
The researchers also discovered that the malicious code can move laterally within the phone’s infrastructure, opening the door for other attacks, such as user password theft.
Once the infected app is installed on a device, it waits for a user to unlock the screen or start the phone in order to initiate the attack. The attacker then selects which of the three malicious actions to take and then displays it on the device owner’s screen.
The most shocking element of this malware is that it is capable of causing pornographic ads from the attacker’s ad library to pop up on the screen without warning, above legitimate game apps.
To scare users into installing unnecessary and harmful “security” apps, the malware displays a misleading ad claiming that a virus has infected the victim’s device.
If the victim selects the “remove virus now” option, the malware directs the victim to another malicious app in the Google Play Store posing as a virus removal tool.
AdultSwine’s third malicious activity is to charge the victim’s account for fraudulent premium services they did not request.
Read more about mobile malware
- Researchers at security firm McAfee have confirmed that social networks are being used to target North Korean dissidents with spyware.
- With rising mobile penetration rates and weak cyber regulations in developing markets in the APAC region, smartphones are becoming more attractive to hackers as opposed to PCs.
- Mobile spyware infections offer all manner of personal information to attackers, say security researchers.
In this case, the malware initially displays a pop-up ad claiming the user has won an iPhone and that their phone number is needed to collect the prize. But if the victim enters their number, the malware sends premium SMS messages, incurring charges.
According to Check Point’s researchers, AdultSwine is a particularly insidious malware because it is found in apps from trusted sources and can cause emotional distress and financial loss.
It also has a much wider range of malicious activities that it could pursue because the malware simply receives a target link from its command and control server and displays it to the user.
In some cases this link is merely to an advertisement, but it could also lead to whatever social engineering scheme the attackers likes.
After being advised about the malware, in addition to removing the apps from the Google Play store, Check Point said Google took “prompt action” to disable the developers’ accounts, and will continue to show strong warnings to any users that still have the apps installed.
The scareware “virus removal” tool has also been removed from Google Play for using inappropriate marketing tactics to drive installs.
Effective protection from attack by these malware-infected games requires users to install advanced mobile threat defence on all mobile devices.
The 10 most popular infected apps, each with a minimum of 100,000 downloads, were:
- Five Nights Survival Craft
- Mcqueen Car Racing Game
- Addon Pixelmon for MCPE
- CoolCraft PE
- Exploration Pro WorldCraft
- San Andreas City Craft
- Subway Banana Run Surf
- Exploration Lite: Wintercraft
- Addon GTA for Minecraft PE
- Addon Sponge Bob for MCPE
“Due to the pervasive use of mobile apps, AdultSwine and other similar malicious apps are likely to be continually repeated and imitated by hackers,” the researchers said in a blog post.