Researchers Tianfang Guo and Jinjian Zhai report in their blog that they believe the 500,000 to one million Android downloads achieved in four months for ‘Cowboy Adventure' is a new malware record.
It is one of two games that ESET malware researchers found containing this malicious functionality, the other one being Jump Chess which had far fewer downloads. A distinguishing factor is that these apps contain real functionality - they are real games – but analysis of the ‘Platformer 2D' game engine showed that “Cowboy Adventure” is primarily a phishing malware disguised within a game.
When the app is launched, the user sees a fake Facebook login window and if they enter their Facebook username and passwords then these credentials are sent to the attackers' server. The researchers were alerted to the scam when they found some users – mostly Chinese speakers - complaining about their Facebook accounts being abused, and spamming their friends to spread the game virally. The phishing behaviour is “selective”, only triggering on IP addresses from outside US and Canada.
It is reported that the app is developed using the Mono open-source, cross-platform implementation of Microsoft's .NET Framework. The app's code is written in C# and compiled to several PE dll files.
On launching, the app communicates with a command & control server: the returning data determines the app's logic: directly start the game, or phishing the user via the fake Facebook login activity. After the phishing activity has popped up, and the victim input the Facebook account, the email/password will be sent to the URL specified in the C&C server's returned JSON value “UrlHomePage”.
It is reported that few vendors currently integrate the Mono and C# code analysis into automated platforms and phishing is difficult to detect via automated technical approaches. Also, phishing Facebook login activity is no different to a normal login activity on code level. The researchers suggest that only experienced human beings can identify the forged images and layout.
Another issue is that some AV vendors have overly trusted on Google Play and the app's high-profile on Google Play might be a factor that made VirusTotal appear “Probably harmless”. It has been on Google Play since at least April 16, 2015, but was taken down last week and warnings against its installation posted.