Israeli software and data security giant Check Point Software Technologies Ltd. alerted Google over the weekend to porn-related malware in at least 63 game apps on Google’s Play Store, prompting the US tech company to remove the games, many of which were for children.
Check Point published a report on Friday announcing its discovery of the malicious code, dubbed “AdultSwine” which the Israeli company says wreaks havoc in three main ways: “displaying ads from the web that are often highly inappropriate and pornographic”; “attempting to trick users into installing fake ‘security apps’”; and convincing “users to register [for] premium services at the user’s expense.”
The malware can also “use its infrastructure to broaden its goals to other purposes, such as credential theft,” Check Point says, adding that once the malicious code “is installed on the device, it waits for a boot to occur or for a user to unlock his screen, upon which it initiates its malicious activity.”
A diagram by Check Point on how the porn malware works. Via Check Point
“Adult Swine” also displays “scareware,” frightening users into installing unnecessary and potentially harmful “security” apps, and tricks them into entering phone numbers by announcing they’ve won a prize. Once entered, the code then makes use of the number to register for the victims for fraudulent premium services, charging their accounts.
Check Point says the code operates by contacting its Command and Control server (C&C) to report a successful installation and send data about the infected device. It then “receives the configurations, which determine its course of operation,” and make decisions like “whether to hide its icon (to encumber removal), which ads to display, over which apps and on what terms.”
“It is interesting to note that the server, however, forbids ads to be displayed over certain apps such as browsers and social networks, in order to avoid suspicion,” the Israeli company adds.
In a statement to the Financial Times, Google said it had “removed the apps from Play, disabled the developers’ accounts and will continue to show strong warnings to anyone that has installed them.”
“We appreciate Check Point’s work to help keep users safe,” Google added.
Among the games hit with the malware, Check Point named three with estimates of over 500,000 minimum downloads, and eight with a minimum of 100,000 downloads. Game titles include “Exploration Pro WorldCraft,” “Drawing Lessons Lego Star Wars,” “Jurassic Survival Craft Game,” and “Temple Runner Castle Rush.”
Google told The Verge it has a Family collection on the Play Store to help parents find content that is age-appropriate content and has a program called Family Link, which lets parents create Google Accounts for their kids and set “certain digital ground rules.”
Google said it manually reviews ads and that the apps in the family program were not among those listed by Check Point as having been infected.
Check Point said in its report that although the malicious app “seems to be a nasty nuisance, and most certainly damaging on both an emotional and financial level, it nevertheless also has a potentially much wider range of malicious activities that it can pursue, all relying on the same common concept.”
The company said that the simplicity of the command, in some cases just an advertisement “could also lead to whatever social engineering scheme the hacker has in mind,” and that “these plots continue to be effective even today, especially when they originate in apps downloaded from trusted sources such as Google Play.”