Halloween came a little early for some Android users this year after a horror-themed computer game was found stealing their account credentials and displaying potentially malicious ads.
Researchers at mobile security company Wandera found the game, called Scary Granny ZOMBYE Mod: The Horror Game 2019, doing sneaky things behind the scenes. Upon installation, it tries to get the user to pay £18 (about $22) for the game, and then connects to an ad network that appears to spam the user’s device with commercials for other malicious games. Finally, it tries to phish the user’s Google account.
The game, apparently based on another highly successful Android game called Granny, releases a phishing attack against the target device, displaying a notification that asks the user to update their Google Security services. When the unwitting user agrees, it presents a fake login page to slurp their credentials.
For those that took the bait, the phishing code uses a browser built into the app to access the user’s account and downloads their recovery emails and phone numbers, their verification, their cookies and tokens (which could give the attackers access to third-party apps) and their verification codes. Wandera explained:
We could see the user information including cookies and session identifier being gathered and shipped off to the attacker without the user knowing. This is a proof point that this attack goes beyond typical credential theft that usually happens via social engineering.
The researchers also discovered code that seemed to attempt the same phishing technique with Facebook credentials, although they didn’t see that part of the program in action.
Sneaky tactics
Google uses a malware detection system to run new apps on the Play Store in a sandbox to detect malicious activities. This app was devious, though, using a timing mechanism to control its dastardly actions. Only after a period of two days would its payload kick in.
The program also used obfuscation techniques to hide its phishing code, naming its malicious components to look like official software modules used in the Android OS.
There was one interesting slip-up on the developers’ part: The page misspells ‘Sign in’ as ‘Sing in’, which would hopefully have deterred some users from falling for it. Thank goodness for sloppy spelling, eh?
Still, that won’t save victims from the horrors to come, because phishing pages aren’t the only things that Scary Granny haunts Android users’ screens with. It also displays full-screen ads for games which the researchers believe are equally malicious. It does this even after the phone is rebooted, and even outside of the app. Perhaps the word ‘Zombye’ is apt: it seems difficult to kill the thing.
The developers’ underhand tactics earned the game over 50,000 installations and a four-star review. It became so popular in part because the game is actually very good. Wandera concluded:
The app actually works! The developers have clearly gone to a lot of effort to create a fully functioning game in which you, the main player, are in a house running away from zombies and trying to find extra life and weapons.
Which just goes to show that it’s difficult to detect a dodgy Android app.
Arm yourself against malicious apps
Go and download Sophos Mobile Security from the Play Store, which offers malware protection, web filtering and a password safe.
Then, we suggest that when downloading apps, stick to the Google Play Store (yes, bad things do sometimes turn up, but it’s generally safer than downloading games and apps from other corners of the internet); search Google for reports of malicious activity and bad reviews; and when it’s installed, check to ensure that the app doesn’t ask for inappropriate permissions.
No single measure can save you from all the threats you face, but a combination of tactics will dramatically reduce your chances of being infected. And of course, never root your phone or install from an alternative third-party store.
As far as this particular ‘ZOMBYE’ goes however, Google has now removed the game from the Play Store.