Authors: Tianfang Guo, Jinjian Zhai
How many users can a stealthy malware acquire after being published on Google Play? Hundreds? Thousands? We believe a new record has been established: 500k-1m downloads. This malware survived more than 4 months until the Trustlook research team uncovered it.
The holder of this dubious honor is a malware called “Cowboy Adventure”. It is a simple game made utilizing the popular 2D game engine “Platformer 2D”. After careful analysis our team found a devious and scary reason behind its user growth.
Beginning of the story
Days ago, we found some users are complaining about their Facebook accounts are abused, sending a game invite to all the friends. And most of them speak Chinese:
After analysis, we found the “Cowboy Adventure” is actually a phishing malware that forged into a game. It will forge a Facebook login, and collect users’ Facebook username/passwords. By spamming the victims’ friends, it spread virally. Moreover, the phishing behavior is committed “selectively”, only the IP address from Asia could trigger it.
The detailed analysis
Above is the fake Facebook login window. If you have basic knowledge about OAuth, you should know that no 3rd party could ask your FB account in this way.
The app is developed using Mono, the open-source, cross-platform implementation of Microsoft’s .NET Framework. The app’s code is written in C# and compiled to several PE dll files. We used the Telerik JustDecompile and ILSpy to decompile it.
The key code are from 2 dlls:
ThinkerAccountLibrary.dll – the component responsible for collect user information, including the Facebook accounts.
CowboyAdventure.dll – the game’s code. Also it contains an entry activity that determines whether it pops up the phishing activity or not, based on user’s location.
Upon launching, the app will first communicate with a command & control server:
The returning data will determine the app’s logic: directly start the game, or phishing the user via the fake Facebook login activity.
During our test, the return data is very tricky: the C&C server will determine whether to commit malicious behavior via the client IP. We tried access the URL using our IP in United States, the returning data is as follows, with the “LoginEnabled” value 0:
In this case, the game will start without phishing.
However, if we access this URL via a proxy server from China Mainland, Hong Kong, Taiwan or S.E Asia, the return will be different:
Note the “LoginEnable” value has changed to 1. In this case, the app will first pop-up the phishing activity. This probably a trick to delay the time it discovered by major Antivirus vendors outside Asia. (And it worked!)
Here is the our reversed engineered code showing its logic:
The AppData class is for storing the data returned by C&C server. “LoginEnable” indicates whether to phishing, and “UrlHomePage” indicates the URL for submitting the users’ FB accounts.
As is shown below, in the apps main activity “HomeActivity”, the first activity shown to the user is decided by the value “LoginEnable”.
After the phishing activity is popped up, and the victim input the Facebook account, the email/password will be sent to the URL specified in the C&C server’s returned JSON value “UrlHomePage”. The detailed logic is shown below:
After the C&C server received the users’ Facebook account and password, we don’t know what exactly happened there. But we can guess: a automated script will use Facebook’s API to spread the malware among friend networks, attracting more and more victims.
Even at the time the author writing this article, there is ZERO AV vendor can detect this malware according to virustotal.com . The VirusTotal even gave a comment: “Probably harmless! There are strong indicators suggesting that this file is safe to use.”
That is the story behind a “legendary” malware on Google Play, which infected nearly 1M phones in 4 months. According our analysis, there is no complicated technology used, just a little social engineering and a small trick to evade detection.
We have to ask: what’s going wrong? The author’s opinion is as follows:
1. Mono is relatively a new development framework, thus good at evading analysis. This is not about difficulty, but cost-efficiency. As the Jar pack is still the majority of the Android threat source, few vendor integrates the Mono and C# code analysis into automated platforms.
2. Phishing is naturally difficult to detect via automated technical approaches. A phishing Facebook login activity has no difference to a normal login activity on code level. Only experienced human being can identify the forged images & layout.
3. The sneaky developer has set a location based triggering mechanism. This may fooled a lot of AV vendors outside Asia.
4. Some AV vendors have overly trust on Google Play. The slow reaction for AV vendors and the VirusTotal’s result is the best evidence. The app’s high-profile on Google Play might be a factor that made VirusTotal gave the “Probably harmless” comment. Also to our knowledge, some AV vendors gives more trust to the apps on Google Play during their automated analysis.
Update on Jul 9 3pm PST:
After more research, we found the conclusion of “the phishing only works for Asia IP” is incorrect. Now we found it actually affects anywhere except US and Canada.