The Latest in IT Security

Malicious Developers Release Rogue Bad Piggies Versions


It’s a pig-eat-pig world out there – at least on the mobile app threat front. Right after reports of malicious Bad Piggies on Google Chrome Web Store circulated, we found that certain developers also released their own, albeit rogue versions of the said gaming app.

On the heels of Bad Piggies‘ launch last month, we saw rogue versions of the game on specific web pages hosted on Russian domains. However, these versions are not affiliated at all with the game. Based on our analysis, these apps are verified as malicious, specifically premium service abusers, which send SMS messages without user consent and leaves users with unnecessary charges.

Slicing Through Malicious Bad Piggies Version

During our research, we used the keyword “Bad Piggies” and encountered 48 Russian domains. Among these sites is piggies-{BLOCKED}, which appears as an app download page.

The said site offers the said app on different platforms. Instead of the actual Bad Piggies app, users instead download a malicious .APK file detected as ANDROIDOS_FAKEINST.A. Once installed, it creates a shortcut on the device’s homepage and sends SMS messages to specific numbers. As mentioned, these messages are sent without user consent and may cost users to pay extra for something they didn’t authorize.

According to Mobile security engineer Bob Pan, ANDROIDOS_FAKEINST.A has the ability to obfuscate its codes via inserting junk codes and encrypting the strings and decrypting it upon execution. It also replaces all class/method/field name with meaningless strings thus making analysis difficult.

The created shortcut also has a surprise of its own. When clicked, this leads users to a specific URL to download a browser update. This update is actually JAVA_SMSSEND.AB, which also sends unauthorized SMS messages to specific numbers. If you may recall, we previously saw this malicious midlet disguised as an installer for Skype.

Mobile App Launch Triggers User and Cyberciminal Interest

As sly as these guys are, cybercriminals and other bad guys are sometimes creatures of habits. They will stick to certain formulas to ensure users will bite their dubious schemes. In this incident, the formula is app popularity plus media coverage equals more user interest. Bad Piggies is a spinoff of the highly popular Angry Bird franchise and its release enjoyed good coverage from popular media.

Such is also the case with the malicious Instagram and Angry Birds Space we reported previously. Right after news of Instagram for Android and Facebook’s acquisition, we immediately saw malicious versions sprouting on the Internet. To victimize as many users as possible, shady developers and certain crooks created rogue versions to take advantage of these apps’ popularity and their media exposure.

Russian domains also appear to be the favorite among rogue apps developers. Beginning this year up to July, we already blocked more than 6,000 mobile app pages hosted on .RU domains. This is definitely an increase compared to last year’s 2,946 blocked sites. To lead users to these sites, the people behind these apps spread the links via forum, blog posts or email.

To prevent downloading a fake (or worse, a malware disguised as an app), users should stick to legitimate app stores like Google Play. They should also make it a habit to research about the app and the reputation of its developers. To know more about how to make your mobile experience safer, you may read our Digital Life e-Guide 5 Simple Steps to Secure Your Android-Based Smartphones.

Mobile users need not worry as they are protected by Trend Micro Mobile Security for Android, which detects and deletes the said rogue apps. Smart Protection NetworkT also blocks access to the sites hosting these apps.

Share this article Get the latest on malware protection from TrendLabs
Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

You can leave a response, or trackback from your own site.

Other Trend Micro blogs

CTO Insights

CounterMeasures Blog

Cloud Security Blog

Consumerization Blog

Fearless Web

Internet Safety for Kids & Families

Simply Security News

Trend Micro Blog [German]

TrendLabs Security Blog [Japan]

Cloud Security APAC

Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
Do you have a product-related question? Visit our eSupport website.

© Copyright 2011 Trend Micro Inc. All rights reserved. Legal Notice

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments