Android malware poses as Angry Birds Space game

Filed Under: Android, Featured, Malware, Mobile, Vulnerability

Angry Birds SpaceAndroid malware authors have seized an opportunity to infect unsuspecting smartphone users with the launch of the latest addition to the immensely popular "Angry Birds" series of games.

SophosLabs recently encountered malware-infected editions of the "Angry Birds Space" game which have been placed in unofficial Android app stores. Please note: The version of "Angry Birds Space" in the official Android market (recently renamed "Google Play") is *not* affected.

The Trojan horse, which Sophos detects as Andr/KongFu-L, appears to be a fully-functional version of the popular smartphone game, but uses the GingerBreak exploit to gain root access to the device, and install malicious code.

The Trojan communicates with a remote website in an attempt to download and install further malware onto the compromised Android smartphone.

Android phone with Trojan posing as Angry Birds Space

Interestingly, the malware hides its payload - in the form of two malicious ELF files - at the end of a JPG image file.

Hidden code at end of JPG file

With the malware in place, cybercriminals can now send compromised Android devices instructions to download further code or push URLs to be displayed in the smartphone's browser.

Effectively, your Android phone is now part of a botnet, under the control of malicious hackers.

It feels like we have to keep reminding Android users to be on their guard against malware risks, and to be very careful - especially when downloading applications from unofficial Android markets.

, , , ,

You might like

23 Responses to Android malware poses as Angry Birds Space game

  1. Ben · 741 days ago

    If you download apps from unofficial markets - be on your guard! Surely that's obvious?

    • Tim · 741 days ago

      If it was that obvious, then I'm sure the purpose of this article would be void! Surely that's obvious?

    • Jeremy · 741 days ago

      You would think so but these kinds of stories generate lots of clicks so I don't plan on them going away.

      I have never heard of this site or this author but this ridiculous story brought me here.

      Anyone going out of their way to sideload Angry Birds is probably a pirate and deserves a little bit of malwarez IMO.

  2. jimb · 741 days ago

    That's great...so how do we get rid of it? Seems like an important factor left out in the article...

  3. Mark · 741 days ago

    I have this game on my phone.
    How can I be sure that it's not this nasty malware version?

    • If you got the app from the official Android market (now named Google Play) then you should have nothing to worry about.

      The trojanised version was on unofficial app stores.

  4. Jamie · 741 days ago

    So what do you do if you have installed it, besides the obvious of removing it?

  5. Thanks for the heads up! But I have a question: where did you detect this infected version?

    Angry Birds Space is freely available on Google Play, developed by Rovio, (https://play.google.com/store/apps/details?id=com.rovio.angrybirdsspace.ads) but is it possible that one finds a malicious version there too?

    • Anna Brading · 740 days ago

      The infected version was on an unoffical app store so you should be fine if you get it from Google Play.

  6. Freida Gray · 741 days ago

    Are there any security programs that would work on phones ?

    • Skeptic · 740 days ago

      Don't tell me... let me guess... something sold by Sophos??

  7. Chris · 741 days ago

    So, what do I do now that I've downloaded this?

  8. Kathy · 741 days ago

    Verizon provided these instructions for a Galaxy Nexus phone:

    Please complete the following to remove malware (Galaxy Nexus).
    Go to your contacts.
    Then select menu and then more.
    Select export.
    Then select export to SD card.
    Export to storage.
    From the home screen, touch Apps
    Touch Settings
    Touch Backup & Reset
    Tap Factory data reset
    Tap Reset Phone

  9. Pete · 741 days ago

    How can you know if the copy that is installed is a compromised copy? If downloaded from the official Android market, is that safe? If your device is compromised, how can it be removed? Is just deleting the app enough?

    Thanks, Sophos!

  10. Arantxa · 740 days ago

    What can we do in case of infection? Thanks for your help

  11. Would downloading Angry Birds space from the Amazon Appstore be a concern (since the Amazon Appstore is not, of course, the official Android App store)? Also, how can users tell if they're infected? Are there certain symptoms that users can look out for?

    • Stephanie · 740 days ago

      I also got mine from the Amazon Appstore. How can we tell if our phone is infected?

  12. rich · 740 days ago

    Ok. I downloaded from getjar. I played it tor a couple levels and then uninstalled.. How can I check to see if my kindle fire is compromised?

  13. Michael · 740 days ago

    Thanks for the information. What software can you use on an android device to detect this type of trojan/malware. What does sophos recommend?

  14. Jon · 736 days ago

    Avast makes a free android anti-virus app...I'm not sure how effective it is but I can see a message that It's scanning every time I install a new app...and it's from the Google Play store.

  15. Nathan · 734 days ago

    No, not everyone looking to sideload is a filthy pirate. The android market can't download apps that won't fit in the /cache partition, and ABS is >32mb--many phones only allocate 20mb to /cache. So for phones like mine, the market version is a no-go.

  16. Tim · 732 days ago

    My wife somehow installed an "Angry Birds Seasons Installer" app provided by Getjar - one of those "independent stores". Though it was easy to remove it, it still had all of the attributes of malware, i.e. it does not show in the list of "My apps" on Google Play, it does not allow you to delete its icon from the applications list - it is always loaded into memory (and eats up approx. 26MB) and is monitoring your actions. It also nags you every hour by showing a notice inviting you to install Getjar. It has to be stopped and then uninstalled using the applications settings of the Android device. Though it has a distinctive "G" letter in the upper left corner of its icon and when you try to run it it asks you to give consent to installation of Getjar, not Angry Birds (i.e. it does not try to mask itself as an AB app), it still is malware.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.