Candy Crush and Plants vs Zombies hit by Android malware

22 Sep 2015

Backdoor trojans have been discovered on a raft of popular Android games, each delivered through the official Google Play Store.

Installed within the games – including the likes of Candy Crush, Plants vs Zombies, Super Hero Adventure and more – the malware can render the victim’s phone part of a botnet, under the attacker’s control. The malicious versions of the games have since been pulled.

Essentially the games were bundled with additional applications called systemdata or resourcea, which caught Eset’s eye as there should be no need for such additions through legitimate portals like Google Play Store.

Playing the slow game

The trojan sometimes took three days to kick into action, which may explain how it dodged Google’s security protection against dodgy games.

It also explains why people might download it, as the delaying tactic separates the malicious content from the game in many users’ eyes.

After that, the trojan requested device administrator rights and started to communicate with its remote C&C server.

Called Android/Mapin, it can do plenty of damage, like download content, install apps, launch them, and even strip users’ private information.

Android malware, a full-screen nightmare

However, from what Eset has seen, it largely works on pushing full-screen advertisement interstitials, which are a nightmare for everybody.

“Some variants of Android/Mapin take a minimum of three days to achieve full Trojan functionality,” said Lukas Stefanko, a malware researcher at ESET. “It may also be one of the reasons why the TrojanDownloader was able to evade Google’s Bouncer malware prevention system.

“Interestingly, not all of its functionality has been fully implemented. There is a possibility that this threat is still under development and the Trojan may be improved in the future,” concluded Stefanko.

The trojans went undetected for well over a year before eventually being pulled from the Google Play store. “Perhaps because of this and similar cases, Google announced that as of March 2015 all apps and updates must pass human review,” added Eset.

Main image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic