Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Trojanized And Pirated Assassins Creed App

image
VIRAL GANDHI
December 11, 2014 - 3 min read
During our daily research, we recently came across Android malware disguising itself as an Assassins Creed app, which is a popular paid gaming application. The malware in question will install a pirated version of the Assassins Creed game that functions normally, making end user oblivious to the malicious activities it performs in background.
 
Application information:
 
 
Permissions:
 
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.GET_ACCOUNTS
  • android.permission.INTERNET
  • android.permission.PROCESS_OUTGOING_CALLS
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.READ_PHONE_STATE
  • android.permission.READ_SMS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.WAKE_LOCK
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.WRITE_SMS
The malicious application is capable of sending multi-part text messages, harvesting text messages from a victim's device, and sending stolen information to a remote Command & Control (C2) server. We were able to locate phone numbers belonging to Russian bank "Volga-Vyatka Bank of Sberbank of Russia" in the malicious application code for which SMS messages are being intercepted to steal sensitive information. Another interesting feature we saw is the usage of AES encryption for all the C2 communication. It also harvests the mobile number and Subscriber ID information from the victim device for tracking purposes.

The screenshot below shows the AES crypto library configurations. All the sensitive harvested data and C2 communication is encrypted and decrypted using this configuration.
 
Image
 

Code snippet showing the string containing the Russian Bank phone numbers:
 
Image
 
Image

Command and Control server information in encrypted and decrypted form:
 
Image
 
Image

We saw the following two command and control servers hardcoded in the malicious application:
 
  •  bnk7ihekqxp.net
  •  googleapiserver.net
 
Image
 
The screenshot above shows the usage of AES for C2 communication. A sample call back request from the infected device will be of the following format:

"http://bnk7ihekqxp[.]net/iaefu.php?1=4fe08eb4b43XXXXXXXX&id=X".

The code snippet below shows the SMS and Subscriber ID information harvesting feature:
 
Image
 
It sends the harvested information via a POST request as seen below:
 
Image

Code snippet showing the SMS sending feature:
 
Image
 

Code snippet showing the SMS interception and storage arrays:
.
Image

The intercepted SMS data, Subscriber ID, and phone number information are then sent to the C2 server in an encrypted form
.
Image

Here is a sample request:
http://googleapiserver.net/kysnfhwo.php?1=4fe08eXXXXXXXXXXXXXXXXXXXX&4=3XXXXXXXXXXXXXXX

The malicious app performs the activity of harvesting sensitive information and sending it to the remote server on a regular interval by setting up an alarm as seen below:
 
Image
 
Upon installation, the user will see the game icon on the screen, that disappears shortly thereafter with the malicious process still running in the background.
 
Recommendation:

Cybercriminals often lure users with pirated versions of popular paid mobile applications that are Trojanized to steal sensitive information. It is strongly recommended that users stay away from such offers and download mobile app only from the trusted sources like the Google Play store.
form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.