Monday, 20 January 2014

Mobile Threat Monday: Fake Minecraft Scams Android Gamers

Image via Flickr user Tiago A. Pereira According to F-Secure, a Trojanized version of Minecraft - Pocket Edition (or Minecraft PE) is making the rounds on third-party app marketplaces. Though it costs half as much as the genuine article, it has a few "enhancements" that players won't like.
Worse Than Creepers
F-Secure told SecurityWatch that the phony Minecraft PE is currently available on several Russian app stores. This isn't surprising as not all third party stores vet their apps as thoroughly as Google, making some of them havens for malicious applications.
Careful readers will probably remember that cloned versions of popular apps are nothing new; in fact, it's a common tactic to trick victims into downloading and installing malicious applications. These fake apps are generally free, to further entice victims, but this ersatz Minecraft PE bucks the trend by charging 2.50 Euros for the app—the real app costs 5.49 Euros.
Charging victims earns the scammers some cash right off the bat, but that's not all this app does. "The real game is included but it has one added permission: android.permission.SEND_SMS and the payment system has been 'enhanced,'" said F-Secure. This critical change means that the app can use victims' phones to send text messages.
According to F-Secure, the SMS message generated by the app are sent to so-called "premium rate numbers" in Russia. These might be signing up victims for pricey subscriptions to services they don't want. The messages might also be adding money to their phone bill—like those fundraiser shortcodes used by NPR and the Red Cross, but in this case used for evil. Interestingly, whoever made the fake app might not own the numbers the messages are being sent to, but may get a cut from whoever does.
Sneakier Than Endermen
Mojang, the creators of Minecraft, are no fools and F-Secure writes that they included some security measures in their code to prevent this kind of thing from happening. Unfortunately, the creator of this Trojanized app is clever.
"The original Minecraft includes a check inside the dex code that verifies the signature that has been used to sign the APK. If it's not [Mojang's], the code refuses to run," said F-Secure. The phony Minecraft PE includes a special tool to specifically trick this failsafe, thus allowing it to work.
Guard Your Fortress
In Minecraft, if you leave a hole in our outer defenses, dangerous monsters will find their way into your home. Likewise, turning off the default restriction on installing third-party applications on your Android device can allow malware into your phone.
And searching for free or cracked versions of popular apps is like asking monsters to come into your home. It's always better to pay the developers and get the real, secure version of any Android app. Especially in the case of Minecraft, which is worth every penny. As is usually the case, it pays to pay.

No comments:

Post a Comment