The interesting turn of events surrounding the game Flappy Bird has had the Internet buzzing: after becoming massively popular (downloaded more than 50 million times), the developer suddenly announced that he will take down the game from app stores, and then actually did it. The decision brought the interest around the game to an even greater scale, with similar apps seen emerging in app stores, and even auctions for devices with the app installed.
The next development we saw, however, is a less desirable one: we found a bunch of fake Android Flappy Bird apps spreading online.
Especially rampant in app markets in Russia and Vietnam, these fake Flappy Bird apps have exactly the same appearance as the original version:
All of the fake versions we’ve seen so far are Premium Service Abusers — apps that send messages to premium numbers, thus causing unwanted charges to victims’ phone billing statements. As seen below, the fake Flappy Bird app asks for the additional read/send text messages permissions during installation — one that is not required in the original version.
After the game is installed and launched, the app will then begin sending messages to premium numbers:
And while the user is busy playing the game, this malware stealthily connects to a C&C server through Google Cloud Messaging to receive instructions. Our analysis of the malware revealed that through this routine, the malware sends text messages and hides the notifications of received text messages with certain content.
Apart from premium service abuse, the app also poses a risk of information leakage for the user since it sends out the phone number, carrier, and Gmail address registered in the device.
Other fake versions we’ve seen have a payment feature added into the originally free app. These fake versions display a pop up asking the user to pay for the game. If the user refuses to play, the app will close.
These fake Flappy Bird apps are now detected as ANDROIDOS_AGENT.HBTF, ANDROIDOS_OPFAKE.HATC, and ANDROIDOS_SMSREG.HAT.
We advise Android users (especially those who are keen to download the now “extinct” Flappy Bird app) to be careful when installing apps. Cybercriminals are constantly cashing in on popular games (like Candy Crush<http://blog.trendmicro.com/trendlabs-security-intelligence/dubious-developers-cash-in-on-candy-crush/>, Angry Birds Space<http://blog.trendmicro.com/trendlabs-security-intelligence/rogue-instagram-and-angry-birds-space-for-android-spotted/>, Temple Run 2<http://blog.trendmicro.com/trendlabs-security-intelligence/fake-versions-of-temple-run-2-sprint-their-way-to-users/>, and Bad Piggies<http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-developers-released-rogue-bad-piggies-versions/>) to unleash mobile threats. Our past entry, Checking the Legitimacy of Android Apps<http://blog.trendmicro.com/trendlabs-security-intelligence/checking-the-legitimacy-of-android-apps/>, enumerates some tips on how to do avoid suspicious or malicious apps.
Users may also opt to install a security app (such as Trend Micro Mobile Security) to be able to check apps even before installation.
For more details on the above, please visit http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-flappy-bird-comes-on-the-heels-of-takedown-by-app-creator/