Pierluigi Paganini
March 12, 2019
At the beginning of 2019, Electronic Arts released a game for PC, XBox One and Playstation 4 named Apex Legends. It is a battle royal game like Titanfall and Fortnite, the latter is the direct competitor in the battle royale gaming panorama.
The game has achieved great success in the gamers community with 25 million players since its launch and in a few
In the following report, the Yoroi ZLab – Cybaze researchers analyzed this latest emerging threat.
Yoroi-Cybaze ZLab researchers found four different fake android APKs related to Apex Legends game. All of them have been downloaded from untrusted sources available on the clearnet. Malware authors created well-designed fake web pages, replicating all the graphics of the game misleading the user to download the app, as shown in the following image:
An example is “hxxps://apexhack[.]site/”, from which the researchers downloaded one of the samples. As shown in the above figure, the malicious website hosts both the Android and IOS version of the fake app, but only the Android one has been taken into account for this analysis. In the following tables, the information about the retrieved samples is shown.
| Sha 256 | 38dc9d141c3eb9ce7a6ccf4851d18f73a539de9c7940c7b22f51dab15557a189 |
| Threat | Apex Legends for Android |
| Brief description | Fake Apex Legends application not available on Android’s play store (4.61 MB) |
| Ssdeep | 98304:q6iX/A6ojBzHgIa7ntMVgGNt4/WViBQtRQjr4jrTjrxjrUjrd:PiPArlaRMnNt4/WViBIQj0jfjFjwjp |
Table 1: information about first fake android app
| Sha 256 | 198477234b7f7d5d694c1b00dd77bc260e850750c94f9afb2409afa93665c890 |
| Threat | Apex Legends for Android |
| Brief description | Fake Apex Legends application not available on Android’s play store (36.38 MB) |
| Ssdeep | 786432:WwO6h1yOFPijc2rPvre5BirSnC4Uu8Wt8tHH/rJ0IuMxLvjb:Z/kzrewI8tHfN00rb |
Table 2: information about fourth fake android app
| Sha 256 | d0a0fec1a81735df80b3ffb7ef61ce2d6c9fbea8877a86da10557a41fbfa817b |
| Threat | Apex Legends for Android |
| Brief description | Fake Apex Legends application not available on Android’s play store (17.71 MB) |
| Ssdeep | 393216:DYPdYhEvt/d+iJap4TIT4z2Y/ObXRWNiBGMnCP1Z74HGpPA9qxkyqGds:sPdYhEvt/d+PH4qPTwNTR49q+Kds |
Table 3: information about second fake android app
| Sha 256 | c63c1f01485427eb62e8a3baf3fd016eccf9ca245551b234c60b1c64d8c3c782 |
| Threat | Apex Legends for Android |
| Brief description | Fake Apex Legends application not available on Android’s play store (808.11 KB) |
| Ssdeep | 12288:DTG9sGlIrK7ZqC9HDrSYoNQfuhhLaD26C9XgqRCIlNE8Z6GvhZt:DMsoIrKIC9HSYo6Wh5aDnG5ZJ |
Table 4: information about third fake android app
Despite the usage of Apex Legends references, the first two applications do not contain a real malware, but their main purpose is to obtain an economic return through Google Mobile Ads SDK. Indeed, exploring the apk’s internals, it is possible to notice the packages related to Google Ads.
These apps are not very interesting, so they will not analyzed in-depth. More attention is required for the third and fourth sample (Table 3 and Table 4).
The third sample is an attempt to hijack the user towards a phishing site. When the app is running, it shows an Apex Legends video and, then, the application prompts the user to press the “OK” button in order to verify the EA Mobile Account.
Reversing the apk, only one useful class emerges which clearly shows the link pointing to the phishing service.
After the user taps on the button, the fake app opens a phishing web page inviting him to subscribe to some services, specifying his personal details and the credit card number.
Behind the URL “www.areyouabot[.]net” there is a well-known malicious site, active since 2016, and related to a huge phishing network, in which also some URLs related to fake MS Office pages are present.
Despite the phishing website is well-known, at the time of writing, the application has a medium detection rate, as shown in the following figure:
This app has the smallest size because it does not provide any videos or media resources. Despite its dimensions, this is the only apk that shows a spyware behavior. So, many anti-malwares detects it.
Further confirmation of the malicious behavior is provided by the long list of required permissions, necessary to perform its operations. In the following figure is shown a complete list of permissions required by the application.
After a reversing phase, it is possible to analyze the malware source code in-depth.
It is easy to reconstruct the malware’s behavior because the author did not use advanced anti-analysis techniques. Only the class names are re-written using a single letter names in order to make the code analysis hard, probably a packer was used. Digging in the apk’s manifest, it is possible to notice that the main class is located in “yps.eton.application.M”.
When started, the malware uses a simple trick to stay hidden to the user, in fact, it removes its icon from the Home Menu, then it registers a new service to intercept the events happening into the device. The service registration is visible in the following image:
The icon removal is done, as usual, using the “setComponentEnabledSetting” method, specifying some values as parameters:
So, when the user taps on the back button, the icon is hidden and the real behaviour of malware will be performed through the service. The service core is represented by the “A” component which includes some different inner class inside of it.
Most operations are performed by “A” class, but there are other classes involved in specific tasks, i.e. the “C” class is used to trace the inbound and outbound phone calls.
Due to the absence of the icon, the user does not care about the presence of the malicious service, which continues to perform its actions in background. Otherwise, inspecting the installed services through the Settings Menu, it is easy to detect the malicious one.
After collecting all the information about its victim, the spyware sends them to its C2 located at “krater[.]giize[.]com”. Unfortunately, at the time of analysis the server seems to be down.
Investigating the package names, it was possible to identify many other fake applications which have spyware behavior too. So, the Apex threat is part of a bigger campaign that rides the wave of the popular games to steal information from passionate gamers, probably related to Fortnite themed samples reported by Fortinet researchers back in 2018.
The similarity between the recent Apex spyware and the old Fortnite one is shown into the following figure, where the same app’s structure emerges.
Unlike the Apex APK, the fake Fortnite application has been distributed through BitTorrent network via the “ThePirateBay” portal. The use of different channels to spread the samples is the proof that the malware author tried to reach as many users as possible. Anyway, despite the fake Fortnite threat belongs to an old campaign, dated back in 2018, its torrent file is still available online.
Obviously, the only difference between the two APK resides into the resource section. In each campaign the malware author changes icon, video and others media. In the following figure it is possible to notice this difference: on the left there are the Fortnite threat’s resources, including the specific icon, viceversa on the right is possible to see a different icon for Apex apk.
Another evidence the malware author is the same for both campaigns is the e-mail address found in the META-INF file which is always “harsahad.alkaabi96@gmail[.]com”.
Today the malware writers uses the popularity of applications that are not presents on play store to spread their malicious applications. The use of mobile devices has growth in the latest year and many users does not pay attention when downloading an app. The awareness that many of these could be malicious, today, is very low and this is one of the main reason of growth in the number of downloaded apps on mobile device from third parties sources. In this report have been analyzed four fake apps for android found through a search engine. As visible, all of the analyzed apps are malicious and moreover, they are able to steal information in easy way through a simple first interaction provided by users.
The researchers of
Further information, including the Indicators of Compromise (IoCs), is reported in the analysis published on the Yoroi blog.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Apex Legend, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
