Sophos Cloud Optix
Android malware authors have seized an opportunity to infect unsuspecting smartphone users with the launch of the latest addition to the immensely popular “Angry Birds” series of games.
SophosLabs recently encountered malware-infected editions of the “Angry Birds Space” game which have been placed in unofficial Android app stores. Please note: The version of “Angry Birds Space” in the official Android market (recently renamed “Google Play”) is *not* affected.
The Trojan horse, which Sophos detects as Andr/KongFu-L, appears to be a fully-functional version of the popular smartphone game, but uses the GingerBreak exploit to gain root access to the device, and install malicious code.
The Trojan communicates with a remote website in an attempt to download and install further malware onto the compromised Android smartphone.
Interestingly, the malware hides its payload – in the form of two malicious ELF files – at the end of a JPG image file.
With the malware in place, cybercriminals can now send compromised Android devices instructions to download further code or push URLs to be displayed in the smartphone’s browser.
Effectively, your Android phone is now part of a botnet, under the control of malicious hackers.
It feels like we have to keep reminding Android users to be on their guard against malware risks, and to be very careful – especially when downloading applications from unofficial Android markets.
If you download apps from unofficial markets – be on your guard! Surely that's obvious?
If it was that obvious, then I'm sure the purpose of this article would be void! Surely that's obvious?
You would think so but these kinds of stories generate lots of clicks so I don't plan on them going away.
I have never heard of this site or this author but this ridiculous story brought me here.
Anyone going out of their way to sideload Angry Birds is probably a pirate and deserves a little bit of malwarez IMO.
That's great…so how do we get rid of it? Seems like an important factor left out in the article…
I have this game on my phone.
How can I be sure that it's not this nasty malware version?
If you got the app from the official Android market (now named Google Play) then you should have nothing to worry about.
The trojanised version was on unofficial app stores.
So what do you do if you have installed it, besides the obvious of removing it?
Thanks for the heads up! But I have a question: where did you detect this infected version?
Angry Birds Space is freely available on Google Play, developed by Rovio, (https://play.google.com/store/apps/details?id=com.rovio.angrybirdsspace.ads) but is it possible that one finds a malicious version there too?
The infected version was on an unoffical app store so you should be fine if you get it from Google Play.
Are there any security programs that would work on phones ?
Don't tell me… let me guess… something sold by Sophos??
So, what do I do now that I've downloaded this?
Verizon provided these instructions for a Galaxy Nexus phone:
Please complete the following to remove malware (Galaxy Nexus).
Go to your contacts.
Then select menu and then more.
Select export.
Then select export to SD card.
Export to storage.
From the home screen, touch Apps
Touch Settings
Touch Backup & Reset
Tap Factory data reset
Tap Reset Phone
How can you know if the copy that is installed is a compromised copy? If downloaded from the official Android market, is that safe? If your device is compromised, how can it be removed? Is just deleting the app enough?
Thanks, Sophos!
Sounds like you're ok to me, if you got it from the official Android marketplace.
What can we do in case of infection? Thanks for your help
Would downloading Angry Birds space from the Amazon Appstore be a concern (since the Amazon Appstore is not, of course, the official Android App store)? Also, how can users tell if they're infected? Are there certain symptoms that users can look out for?
I also got mine from the Amazon Appstore. How can we tell if our phone is infected?
Ok. I downloaded from getjar. I played it tor a couple levels and then uninstalled.. How can I check to see if my kindle fire is compromised?
Thanks for the information. What software can you use on an android device to detect this type of trojan/malware. What does sophos recommend?
Avast makes a free android anti-virus app…I'm not sure how effective it is but I can see a message that It's scanning every time I install a new app…and it's from the Google Play store.
No, not everyone looking to sideload is a filthy pirate. The android market can’t download apps that won’t fit in the /cache partition, and ABS is >32mb–many phones only allocate 20mb to /cache. So for phones like mine, the market version is a no-go.
My wife somehow installed an "Angry Birds Seasons Installer" app provided by Getjar – one of those "independent stores". Though it was easy to remove it, it still had all of the attributes of malware, i.e. it does not show in the list of "My apps" on Google Play, it does not allow you to delete its icon from the applications list – it is always loaded into memory (and eats up approx. 26MB) and is monitoring your actions. It also nags you every hour by showing a notice inviting you to install Getjar. It has to be stopped and then uninstalled using the applications settings of the Android device. Though it has a distinctive "G" letter in the upper left corner of its icon and when you try to run it it asks you to give consent to installation of Getjar, not Angry Birds (i.e. it does not try to mask itself as an AB app), it still is malware.