Android botnet spreads via game guides

By

Android malware writers constantly bring new ways to communicate with malware once it infects a victim’s mobile device. SonicWall Threats Research Team received reports of a malware campaign that is spreading under the guise of game guides that uses a new way to send messages to a victim’s device post infection. Most of the apps belonging to this campaign are spreading via Game guide apps which are apps that give walkthroughs about tasks/goals to be accomplished in a game. This campaign is thus being referred to as FalseGuide.

Infection Cycle

Most of the samples belonging to this campaign request for a number of permissions, but a few key permissions of interest to this campaign are as follows:

  • receive boot completed
  • com.google.android.c2dm.permission.receive
  • c2d message
  • receive adm message

Upon installation the malware asks for device admin privileges. This should be a red flag to a user as the app proclaims to be a guide for a specific game in most of the cases, a guide like that should not need administrator privileges. By receiving admin privileges the app makes it difficult for the user to uninstall it. On opening the app we do see some relevant content in it, but in the background the app registers and starts a number of services and broadcast receivers that listen for messages received via Firebase Cloud Messaging (FCM) events:


Messaging via Firebase

Firebase Cloud Messaging is a service that handles sending messages between server applications and a mobile client app. A mobile client app is essentially an FCM-enabled app that runs on a device (the infected device in our case). FCM was developed to help increase engagement between app developers and the users, developers can easily push notifications and messages to a set of users using their apps. For instance a developer can send messages to all the users of his app that have made an in-app purchase giving them a special offer, this adds to a more personalized user experience. Apart from that, FCM is a powerful way to get analytical data that can be further used to improve the app.

Most of the samples we observed come with firebase as a component in it thereby making the infected devices an FCM client:

FCM allows the developers to send messages to multiple devices that have opted for a particular topic – more information here. We see the same behavior in the apps belonging to this campaign as each one subscribes to a topic – the app name as seen below:

The apps monitor for any messages coming from FCM via background services:

We have a scenario where each infected device subscribes to a topic, by the app name, with the server. The developer can now send messages to all the devices infected by a particular app, thereby creating a botnet of infected devices that can be communicated with via the subscribed FCM topic. The attacker has the ability to send malicious modules transforming this app which already has device administrator privileges into something dangerous.

Additional notes:

  • Some apps use UrbanAirship platform which also provides the ability to send push notifications to multiple devices
  • Most of these apps in this campaign are spreading under the guise of game guides, few are listed below:
    • Asphalt
    • Drift Zone
    • Injustice Gods
    • FIFA Mobile
    • LEGO Nexo Knights
    • LEGO City My City
    • Pokemon GO
    • Rolling sky
    • Subway Surfers
    • Terraria
    • World of Tanks

  • During our analysis we did not receive any FCM push notifications, we will update the blog if we receive such messages in future
  • Since these apps do not have malicious content in them they were able to evade Google’s automated malware scanners on the Google Play store
  • Reports indicate many apps from this campaign were downloaded from the Play store by unsuspecting users

Overall this campaign creates a botnet of devices that subscribe to a particular topic via Firebase Cloud Messaging. The fact that users have already downloaded samples belonging to this campaign shows that this campaign has been successful in penetrating onto a number of devices by hiding behind game guides. If you recently downloaded a game guide that requested for device administrator privileges then we urge you to consider removing said app from your device. Moreover always think twice before granting administrator privileges to an app.

SonicWall provides protection against multiple variants of this threat via the signatures below:

  • GAV: AndroidOS.FalseGuide.MS (Trojan)
  • GAV: AndroidOS.FalseGuide.AD (Trojan)

Below are few apps containing Firebase component:

  • 91df87ab4b0e170db3431cd8b8ce7944 – free.guidegame.slitherfree
  • 90a5cb2c5b7fbd43bc11a87eeec17941 – guide.tipscadillacs.infopro
  • 9d8888f3e8a3ce16108827333af3447c – guide.tipsfnaftwo.infopro

Below are few apps containing UrbanAirship component:

  • 10b174832cd65a518a98a857d27198d2 – free.guidegame.shadowfightfree
  • e2d996f2cf1570c366bd53a0201f1f07 – free.guidegame.mortalkombatxfree
  • 8adc23a56b77d56748811721725ee7c3 – free.guidegame.fifafree*

Below are few more apps from this campaign:

  • abbbb10fe5eb67a81b9ea06ec9cb4da2 – mobi.guide.dream.league.soccer.pro
  • 6fcbc296ffe9c893581310a9bb02c7ee – free.guidegame.hungrysharkfree
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.