Encrypted Scripts From Trojan Can Surprise Angry Birds Players

The huge popularity of games such as Angry Birds Space, currently in the Top 50 of the most popular Free Apps in the Google Play Market, makes them a perfect cover for malware authors to distribute new malicious code and to target many users. Recently a new malware that downloads and rates apps in the background without the user’s consent was found injected in several applications in third-party Android markets. One of the affected apps is Angry Birds Space:

The malware pretends to be the premium version of the game but it is in fact one of the first free versions of the app that is already in the Google Play Market. A comparison between the decompiled code of the Trojan version and the clean one reveals the injected code that is executed every time the user opens the game (or when the device is restarted): 

 

This code starts a service named “MyService,” which runs in the background and is part of one of the injected packages that contains malicious code:

After starting the service, the malware registers the infected device in a remote server by sending device identifiers such as IMEI, IMSI, and SIM serial number. In return, the server sends a value that starts an annoying routine of pop-up dialogs every one-and-a-half minutes asking the user to install other apps to earn points and permanently remove the adware:

In English the dialog says: “Currently, your consumption points are 0, less than 50, you can earn more consumption points by downloading free advertisement, then the advertisement in the game would be removed permanently. To ensure that the consumption points are going to your account, please open the application being installed a sometime later.”

Once the initialization phase is complete, the injected code downloads the main payload of the malware by sending the IMEI and a specific identifier to a remote server. The password is obfuscated in the code, but it can be easily obtained after analyzing the algorithm used to create it. The file inside the Zip is code written in FScript, a scripting language that can be easily embedded in other Java programs–even in small or embedded devices–by using FScriptME, the FScript version for J2ME environments. The downloaded code is dynamically loaded and each function in the script is executed from the dex file using the instruction “callScriptFunction” implemented in the FScript package.

In this specific case, the downloaded script started the communication with the control server to register the device and get the initial parameters (URL to download the APK (Android application) and web page to execute the click in the ad):

Other parameters include the “sleep” value, which the malware uses to calculate the time to wait between every execution (loop) of the routine. Once the configuration is loaded and without the user’s consent, the script downloads the application in the background along with the complete web page specified in the parameter “click.” All the files are placed in the SD card under the folder “download”:

After all the files are in place, the information in the parameters “Title” and “Intro” are used to create a notification on the device. When the user clicks on it, instead of showing the traditional installation screen, the malware shows the downloaded web page in which the user can see more details of the app such as screenshots and more description:

 

If the user taps on “Free Download” from that page, instead of starting the download the malware will intercept that event and install an already downloaded APK from the SD card. This app could be different from the one shown.

The process above was executed because the parameters sent by the remote server were “type=5” and “godown=2,” which lead to the execution of the function “pushdownapk.” Malware authors can also execute other commands, such as getting all of the installed applications on the device or executing automated mobile click fraud. The latter occurs by downloading apps from third-party markets and sending network traffic to specific mobile advertisement websites to report that an app has been successfully downloaded and installed.

So far the purpose of these scripts that are downloaded by the infected app is to report installations and generate fraudulent revenue. However, this situation can change at any time by changing the script to add another function or by changing the parameters sent by the control server to install malicious applications.

McAfee Mobile Security detects this threat as Android/Backscript.A.