Game functions normally, but includes malicious activity

Dec 13, 2014 09:54 GMT  ·  By

A tampered version of the Assassin’s Creed for Android devices delivers more than just an awesome gaming experience, researchers find, as it is also hides malicious activity functioning in the background.

The app functions normally, from the standpoint of the user, as its original features remained untouched, but it includes extra code designed to relay text messages received by the user to a server controlled by the cybercriminals.

Malware monitors bank communication

Security researchers at ZScaler analyzed the sample and determined that it monitors texts received from phone numbers of Russian bank Volga-Vyatka Bank of Sberbank of Russia.

This specific sender is targeted most likely because of the sensitive information it delivers to customers that have enabled the two-factor authentication security measure for accessing their bank accounts.

The researchers also observed that communication to the command and control (C&C) servers is protected with AES encryption; this includes the intercepted SMS data, subscriber ID (for tracking purposes), and phone number.

According to ZScaler, the information is collected from the victim’s device and sent to the attacker with a specific frequency. There are two C&C server addresses hard-coded in the malware code, pointing to bnk7ihekqxp[.]net and googleapiserver[.]net.

The list of permissions for the malware also includes processing outgoing calls as well as reading and writing to the external storage. The malicious process also asks for permission to start at boot time.

Stick to downloading from legitimate stores

“Cybercriminals often lure users with pirated versions of popular paid mobile applications that are Trojanized to steal sensitive information. It is strongly recommended that users stay away from such offers and download mobile app only from the trusted sources like the Google Play store,” ZScaler says in a blog post.

At the moment, at least 12 out of 56 antivirus engines on Virus Total are able to spot the malware. However, not all users rely on antivirus protection for their mobile devices.

Moreover, it is common for users not to pay attention to the permissions an app asks upon installation. In the case of third-party repositories, the legitimacy of the permissions is not verified and crooks could publish software asking for more than it would need.

Going through the list of permissions before getting an app on the phone gives a clear view of the restrictions imposed by the developer and the type of data that can be accessed.

Demanding access to the contact list, SMS and call log should always be a cause for concern in the case of apps whose purpose and functionality would not normally need this type of information.

Pirated Assassin's Creed (5 Images)

Code for collecting SMS and Subscriber ID information
Encrypted communication with the command and control serverConfiguration for the AES cryptographic library
+2more