Android Horror Game Steals Google, Facebook Credentials and Data

Android Horror Game Steals Google, Facebook Credentials and Data

Information

Android Horror Game Steals Google, Facebook Credentials and Data

An Android horror game with over 50,000 installs was found to exhibit malicious behavior, stealing the gamers' Google and Facebook credentials, and siphoning their data after logging into their accounts.

The game is called Scary Granny ZOMBYE Mod: The Horror Game 2019 (Scary Granny) and it is designed to bank on the success of another Android game dubbed Granny that currently has over 100 million installs.

While Scary Granny is a fully functional game which would actually keep gamers playing it to avoid any suspicion and raising any red flags, it was removed on June 27 from Google's Play Store — Google Cache link HERE — after the researchers who unearthed its phishing and data siphoning abilities reported it to Google.

To hide its actual "horror" side, the game would delay exhibiting any malicious activity for up to two days after being installed as Wandera's research team discovered.

The app would also only turn on its data-stealing modules only if it was being used on older Android versions, with users of newer devices running up to date operating systems not being impacted.

When being installed, the Scary Granny game gains persistence on the devices by asking for permissions to launch itself after the smartphone of tablet it restarted.

This allows it to show full-screen phishing overlays even after the Android users reboot their devices, by first displaying "a notification telling the user to update Google security services. When the user hits ‘update’, a fake Google login page is presented, which is very convincing other than the fact ‘sign in’ is spelled incorrectly."

After successfully stealing the victim's Google credentials, Scary Granny will start collecting account information such as recovery emails and phone numbers, verification codes, birth dates, as well as cookies and tokens.

Inspecting the app's network traffic also allowed the researchers that the malicious game would log into the victims' accounts using an inbuilt browser and it would start collecting cookies and session identifiers which would get surreptitiously sent to the attacker.

This behavior was activated after an initial version of the app "had the ability to steal and exfiltrate Google and Facebook account data but it wasn’t making these transactions due to the constant crashing," showing that the cybercriminals behind this horror game were continuously updating its malicious features.

To scrape its victims' Google and Facebook information, Scary Granny could use obfuscated packages designed to mimic components of official Android apps, e.g., utilizing the com.googles.android.gmspackage that attempts to camouflage itself as the legitimate com.google.android.gms.

Overlay ads disguised as other Android applications

The malicious Scary Granny Android horror game would also display persistent ads camouflaged as ads from other applications like Amazon, Facebook, Facebook Lite, HaGo, Hulu, Instagram, Messenger, Pinterest, SnapChat, TikTok, or Zalo.

"In our analysis, we could see that when viewing all the open apps on the device, it appeared there were apps open including Facebook and Amazon but these were actually ads that the Scary Granny app had opened and disguised as legitimate applications," found the researchers.


While Wandera was not able to prove that the ads were also used to redirect victims to download links that would allow the crooks to distribute other malicious apps.

However, "In one example, the ad directs the user to a page which Google blocked, flagging it as being deceptive, which suggests it hosts malware or a phishing attack."

The ads would be distributed to the compromised Android devices after connecting to an ad network using the com.coread.adsdkandroid2019 package.

Was this article helpful? Yes No
Thanks for your feedback!