Windows 10 News and info | Forum
July 23, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Android Horror Game Steals Google, Facebook Credentials and Data  (Read 53 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 30251


I Do Windows


WWW Email
« on: June 30, 2019, 01:48:06 AM »
ReplyReply

An Android horror game with over 50,000 installs was found to exhibit malicious behavior, stealing the gamers' Google and Facebook credentials, and siphoning their data after logging into their accounts.

The game is called Scary Granny ZOMBYE Mod: The Horror Game 2019 (Scary Granny) and it is designed to bank on the success of another Android game dubbed Granny that currently has over 100 million installs.

While Scary Granny is a fully functional game which would actually keep gamers playing it to avoid any suspicion and raising any red flags, it was removed on June 27 from Google's Play Store — Google Cache link HERE — after the researchers who unearthed its phishing and data siphoning abilities reported it to Google.



To hide its actual "horror" side, the game would delay exhibiting any malicious activity for up to two days after being installed as Wandera's research team discovered.

The app would also only turn on its data-stealing modules only if it was being used on older Android versions, with users of newer devices running up to date operating systems not being impacted.

When being installed, the Scary Granny game gains persistence on the devices by asking for permissions to launch itself after the smartphone of tablet it restarted.

This allows it to show full-screen phishing overlays even after the Android users reboot their devices, by first displaying "a notification telling the user to update Google security services. When the user hits ‘update’, a fake Google login page is presented, which is very convincing other than the fact ‘sign in’ is spelled incorrectly."


Google credentials phishing

After successfully stealing the victim's Google credentials, Scary Granny will start collecting account information such as recovery emails and phone numbers, verification codes, birth dates, as well as cookies and tokens.

Inspecting the app's network traffic also allowed the researchers that the malicious game would log into the victims' accounts using an inbuilt browser and it would start collecting cookies and session identifiers which would get surreptitiously sent to the attacker.

This behavior was activated after an initial version of the app "had the ability to steal and exfiltrate Google and Facebook account data but it wasn’t making these transactions due to the constant crashing," showing that the cybercriminals behind this horror game were continuously updating its malicious features.

To scrape its victims' Google and Facebook information, Scary Granny could use obfuscated packages designed to mimic components of official Android apps, e.g., utilizing the com.googles.android.gms package that attempts to camouflage itself as the legitimate com.google.android.gms.

Overlay ads disguised as other Android applications

The malicious Scary Granny Android horror game would also display persistent ads camouflaged as ads from other applications like Amazon, Facebook, Facebook Lite, HaGo, Hulu, Instagram, Messenger, Pinterest, SnapChat, TikTok, or Zalo.

"In our analysis, we could see that when viewing all the open apps on the device, it appeared there were apps open including Facebook and Amazon but these were actually ads that the Scary Granny app had opened and disguised as legitimate applications," found the researchers.


Overlay apps disguised as apps

While Wandera was not able to prove that the ads were also used to redirect victims to download links that would allow the crooks to distribute other malicious apps.

However, "In one example, the ad directs the user to a page which Google blocked, flagging it as being deceptive, which suggests it hosts malware or a phishing attack."

The ads would be distributed to the compromised Android devices after connecting to an ad network using the com.coread.adsdkandroid2019 package.

The malicious game would also attempt to further increase its masters' profits by requiring the Android users to pay for the game via a "pre-populated PayPal payment page for £18 ($22)," as Wandera concludes.

source
Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page July 13, 2019, 10:47:34 PM