Trojanized versions of Flappy Bird, the mega-popular iPhone and Android game that has recently been pulled from Google Play and Apple’s App Store by its creator, have begun popping up on third-party Android markets.
Flappy Bird has become hugely successful in a matter of months – over 50 million users downloaded it, and it reportedly earned Dong Nguyen – its Vietnamese developer – over $50,000 per day through its in-game advertising.
It is still unknown why he decided to pull the addictive app from the two markets on Sunday, while keeping two of his less popular games.
But cyber crooks don’t care, and have taken advantage of the huge unmet demand by issuing Trojanized versions of the game.
“Especially rampant in app markets in Russia and Vietnam, these fake Flappy Bird apps have exactly the same appearance as the original version,” Trend Micro researchers noted.
“All of the fake versions we’ve seen so far are Premium Service Abusers — apps that send messages to premium numbers, thus causing unwanted charges to victims’ phone billing statements.”
Unlike the original version of the app, these ones ask an additional permission from the user: the permission to read, receive and send SMS messages.
Apart from sending out messages to premium service numbers and intercepting and hiding those received in return, these fake Flappy Bird apps are also able to connect to a C&C server through Google Cloud Messaging, and to exfiltrate the information the app has access to on the device: phone number, carrier, Gmail address registered in the device, and so on.
“Other fake versions we’ve seen have a payment feature added into the originally free app. These fake versions display a pop up asking the user to pay for the game. If the user refuses to play, the app will close,” the researchers added.