An Android horror game was found stealing the Facebook and Google credentials of its users, along with performing other malicious activities. Google took down the game on June 27, but not before it managed to log over 50,000 downloads.
The application was called Scary Granny ZOMBYE Mod: The Horror Game 2019, which rides on the popularity of a similarly named horror game called Granny. It avoids immediate suspicion by acting as a normal game the first two days upon installation, before starting its malicious activities.
Credential stealing
One of its initial actions is a phishing tactic to collect the user’s Google credentials. It notifies users to update Google Play services only to subsequently display a fake login page. The login page contains the usual indication of a phishing page in its misspelling of the “sign in.”
After collecting the credentials, the app will then log into the user’s Google account using a built-in browser and an obfuscated package. The obfuscated package is named to resemble a legitimate Android app. For example, it used com.googles.android.gms, which is similar to the legitimate Google package com.google.android.gms. It also used a Facebook package called com.facebook.core, which appears to have the same function as the Google package.
After successfully logging in, the app will collect further information such as the user’s recovery email address, birthday, verification codes, recovery phone numbers, cookies, and tokens.
Ad fraud
Aside from stealing user credentials, the app also displays persistent ads. It disguises ads as legitimate and well-known applications, wherein they appear as open apps. A closer inspection reveals that they’re actual ads opened by the malicious app.
The ads are part of the profit scheme of this app, which also asks users to pay US$22 for the game.
Persistence
The app employs persistence tactics that would make it difficult for users to remove. It can launch itself and overlay the fake Google Sign In page even when the device is restarted.
The game does this by asking permission to run at startup, which will allow it to run even when the device is rebooted.
Mobile security
Researchers from Wandera, who discovered this malicious app, noted that the malicious activity described above only worked on older versions of the Android OS.
The researchers also pointed out how it behaved as a normal game, free of malicious activity, if launched in the latest Android OS. This means its developers spent time to create an actual working game, justifying how they can convince users to pay for the game itself. Ultimately, the app manages to hide several other tricks behind its horror game exterior.
It employs a combination of familiar schemes to gain the most profit, exemplifying how longstanding methods like phishing remain a mainstay in the mobile threat landscape. The app also showed how such campaigns use other schemes like ad fraud as a secondary way to make a profit .
[Read: Mobile Ad Fraud Schemes: How They Work, and How to Defend Against Them ]
Trend Micro Mobile Security Solutions
End users and enterprises can also benefit from  multilayered mobile security solutions  such as  Trend Micro™ Mobile Security for Android™  (available on Google Play), and  Trend Micro™ Mobile Security  for Apple devices.  Trend Micro™ Mobile Security for Enterprise  provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that exploit vulnerabilities, preventing unauthorized access to apps as well as detecting and blocking malware and fraudulent websites. 
Like it? Add this infographic to your site:1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets. View the report
The upheavals of 2020 challenged the limits of organizations and users, and provided openings for malicious actors. A robust cybersecurity posture can help equip enterprises and individuals amid a continuously changing threat landscape. View the 2020 Annual Cybersecurity Report
cardingcvvru cvvstorecc