Popular Android games on Google Play observed stealing Facebook credentials

The Trustlook post indicated that the phishing mechanism only works on IP addresses outside of the U.S. and Canada.
The Trustlook post indicated that the phishing mechanism only works on IP addresses outside of the U.S. and Canada.

Researchers with two security firms independently observed apps on the Google Play store that are stealing Facebook credentials, and one of the apps has been downloaded by up to a million Android users.

Cowboy Adventure is a working game by Tinker Studio that has between 500,000 and 1,000,000 downloads, but it is also malware – upon launching the app, certain users are met with a fraudulent Facebook login window that steals entered credentials and sends them to the attackers.

“If you have basic knowledge about OAuth, you should know that no [third] party could ask your [Facebook] account in this way,” a Wednesday post from security firm Trustlook said.

Researchers with ESET also studied the app, and indicated in a Thursday post that Jump Chess – another working game from Tinker Studio, but with between 1,000 and 5,000 downloads – was exhibiting the same behaviors. ESET detects the games as Android/Spy.Feabme.A.

“Our analysis of these malicious games has shown that the applications were written in C# using the Mono Framework,” the ESET post said. “The phishing code is located inside TinkerAccountLibrary.dll. The app communicates with its C&C server through HTTPS and the address to which to send the harvested credentials (also known as the ‘drop zone') is loaded from the server dynamically.”

The Trustlook post indicated that the phishing mechanism only works on IP addresses outside of the U.S. and Canada.

Robert Lipovsky, malware researcher with ESET, told SCMagazine.com in a Friday email correspondence that the phishing mechanism was active from a Slovak IP. He noted that the Cowboy Adventure app, which is likely the same sample analyzed by Trustlook, was not tested through a U.S. or Canadian proxy.

The Trustlook post explained that Mono is good for evading analysis since it is a relatively new development framework. Lipovsky added that the games may have avoided detection because “the phishing functionality was, most probably, simply inactive when it went through Google's vetting process.”

ESET indicated in their post that both games have been taken off the Google Play store, and that warnings will appear when attempting to install the apps.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS