Apex Legends for Android: a Fake App could Compromise your Smartphone

Yoroi-Cybaze ZLab malware researchers have analyzed four different fake android APKs that pretend to be versions of the Apex Legends game.

Introduction

At the beginning of 2019, Electronic Arts released a game for PC, XBox One and Playstation 4 named Apex Legends. It is a battle royal game like Titanfall and Fortnite, the latter is the direct competitor in the battle royale gaming panorama.

The game has achieved great success in the gamers community with 25 million players since its launch and in a few days it exceeded his closest competitor in terms of online gamers. The popularity of this game and its absence on the Android Play store, have attracted the attention of many malware writers who had exploited these opportunities to spread their malicious version for Android. Similar cases has been registered with Fortnite game.

In the following report, the Yoroi ZLab – Cybaze researchers analyzed this latest emerging threat.

Technical analysis

Yoroi-Cybaze ZLab researchers found four different fake android APKs related to Apex Legends game. All of them have been downloaded from untrusted sources available on the clearnet. Malware authors created well-designed fake web pages, replicating all the graphics of the game misleading the user to download the app, as shown in the following image:

An example is “hxxps://apexhack[.]site/”, from which the researchers downloaded one of the samples. As shown in the above figure, the malicious website hosts both the Android and IOS version of the fake app, but only the Android one has been taken into account for this analysis. In the following tables, the information about the retrieved samples is shown.

Table 1: information about first fake android app

Table 2: information about fourth fake android app

Table 3: information about second fake android app

Table 4: information about third fake android app

Despite the usage of Apex Legends references, the first two applications do not contain a real malware, but their main purpose is to obtain an economic return through Google Mobile Ads SDK. Indeed, exploring the apk’s internals, it is possible to notice the packages related to Google Ads.

These apps are not very interesting, so they will not analyzed in-depth. More attention is required for the third and fourth sample (Table 3 and Table 4). 

Sample 3

The third sample is an attempt to hijack the user towards a phishing site. When the app is running, it shows an Apex Legends video and, then, the application prompts the user to press the “OK” button in order to verify the EA Mobile Account.

Reversing the apk, only one useful class emerges which clearly shows the link pointing to the phishing service.

After the user taps on the button, the fake app opens a phishing web page inviting him to subscribe to some services, specifying his personal details and the credit card number.

Behind the URL “www.areyouabot[.]net” there is a well-known malicious site, active since 2016, and related to a huge phishing network, in which also some URLs related to fake MS Office pages are present.

Despite the phishing website is well-known, at the time of writing, the application has a medium detection rate, as shown in the following figure:

Sample 4

This app has the smallest size because it does not provide any videos or media resources. Despite its dimensions, this is the only apk that shows a spyware behavior. So, many anti-malwares detects it. 

Further confirmation of the malicious behavior is provided by the long list of required permissions, necessary to perform its operations. In the following figure is shown a complete list of permissions required by the application.

After a reversing phase, it is possible to analyze the malware source code in-depth. 

It is easy to reconstruct the malware’s behavior because the author did not use advanced anti-analysis techniques. Only the class names are re-written using a single letter names in order to make the code analysis hard, probably a packer was used. Digging in the apk’s manifest, it is possible to notice that the main class is located in “yps.eton.application.M”.

When started, the malware uses a simple trick to stay hidden to the user, in fact, it removes its icon from the Home Menu, then it registers a new service to intercept the events happening into the device. The service registration is visible in the following image: 

The icon removal is done, as usual, using the “setComponentEnabledSetting” method, specifying some values as parameters:

1. k = 2 = COMPONENT_ENABLED_STATE_DISABLED<br>
2. m = 1 = DONT_KILL_APP

So, when the user taps on the back button, the icon is hidden and the real behaviour of malware will be performed through the service. The service core is represented by the “A” component which includes some different inner class inside of it.

Most operations are performed by “A” class, but there are other classes involved in specific tasks, i.e. the “C” class is used to trace the inbound and outbound phone calls.

Due to the absence of the icon, the user does not care about the presence of the malicious service, which continues to perform its actions in background. Otherwise, inspecting the installed services through the Settings Menu, it is easy to detect the malicious one.

After collecting all the information about its victim, the spyware sends them to its C2 located at “krater[.]giize[.]com”. Unfortunately, at the time of analysis the server seems to be down.

Attribution

Investigating the package names, it was possible to identify many other fake applications which have spyware behavior too. So, the Apex threat is part of a bigger campaign that rides the wave of the popular games to steal information from passionate gamers, probably related to Fortnite themed samples reported by Fortinet researchers back in 2018.

The similarity between the recent Apex spyware and the old Fortnite one is shown into the following figure, where the same app’s structure emerges.

Unlike the Apex APK, the fake Fortnite application has been distributed through BitTorrent network via the “ThePirateBay” portal. The use of different channels to spread the samples is the proof that the malware author tried to reach as many users as possible. Anyway, despite the fake Fortnite threat belongs to an old campaign, dated back in 2018, its torrent file is still available online.

Obviously, the only difference between the two APK resides into the resource section. In each campaign the malware author changes icon, video and others media. In the following figure it is possible to notice this difference: on the left there are the Fortnite threat’s resources, including the specific icon, viceversa on the right is possible to see a different icon for Apex apk.

Another evidence the malware author is the same for both campaigns is the e-mail address found in the META-INF file which is always “[email protected][.]com”. 

Conclusion

Today the malware writers uses the popularity of applications that are not presents on play store to spread their malicious applications. The use of mobile devices has growth in the latest year and many users does not pay attention when downloading an app. The awareness that many of these could be malicious, today, is very low and this is one of the main reason of growth in the number of downloaded apps on mobile device from third parties sources. In this report have been analyzed four fake apps for android found through a search engine. As visible, all of the analyzed apps are malicious and moreover, they are able to steal information in easy way through a simple first interaction provided by users.

The researchers of Cybaze-Yoroi ZLab advise to don’t download s apps from third parties store or sites and verify the presence of the legit app on the official store, as EA in this case.

Further information, including the Indicators of Compromise (IoCs), is reported in the analysis published on the Yoroi blog.

https://blog.yoroi.company/research/apex-legends-for-android-a-fake-app-could-compromise-your-smartphone/

Pierluigi Paganini

(SecurityAffairs – Apex Legend, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On