Popular Android games unmasked as phishing tools

“ESET researchers have discovered a new, ingenious, yet very simple Facebook phishing scheme: playable Android games that, before they are started, ask users to enter their Facebook credentials.


The researchers found two such games on Google Play. Cowboy Adventure, which has been downloaded and installed by half a million to a million Android users, and the less popular Jump Chess (1,000 5,000 installs). Both apps were offered for free.

“Unlike some other Android malware, these apps did contain legitimate functionality (they actually were real games) in addition to the fraud,” they noted. “The problem lies in the fact that when the app is launched, a fake Facebook login window is displayed to the user. If victims fell for the scam, their Facebook credentials would be sent to the attackers server.”

Both apps were developed by the same individual, and have been available for download on Google Play for months. But obviously not all those who downloaded the apps and tried to play the games have fallen for the phishing scheme. In fact, some of them tried to warn users about this in the user comments.

Google has been appraised of the situation and has removed the apps from Google Play, but those users who have already divulged their Facebook credentials must change their password as soon as possible to prevent account hijacking. For most, this warning has likely come too late.

“Our analysis of these malicious games has shown that the applications were written in C# using the Mono Framework. The phishing code is located inside TinkerAccountLibrary.dll. The app communicates with its C&C server through HTTPS and the address to which to send the harvested credentials (also known as the drop zone) is loaded from the server dynamically,” the researchers shared.

But how has Cowboy Adventure become so popular in mere months? The answer is: selective phishing. According to Trustlook researchers, Cowboy Adventure would show the phishing screen before the game only if the users’ IP address is associated with Asia. Other users would never see it.

The researchers posit that once the Facebook credentials were forwarded to the C&C server, an automated script would use the stolen credentials and Facebooks API to spread by sending a game invite to all the victim’s friends.

As always, users are advised to carefully evaluate each app before downloading and using it: check the ratings and the user comments in order to get a feeling if the developer is trustworthy, and always question the permission the app asks during installation.

Trustlook researchers noted that, initially, no AV solution detected the app as malicious. They put the blame for this on the limitations of automated code analysis, the use of the location-based triggering mechanism, and the excessive trust AV vendors have in Google Play’s malware detection mechanisms.”