Sophos Cloud Optix
Thanks to András Mendik of SophosLabs in Sydney for the information in and the idea for this article.
Chances are, you’ve heard of Flappy Bird.
It is, or perhaps was, a simple yet addictive game available on iOS and Android that took the world by storm.
Flappy Bird’s story is strange, perhaps even controversial.
After languishing in Apple’s App Store for several months, with few downloads and fewer reviews, it suddenly shot up the charts, clocking thousands of reviews and millions of downloads per day in January 2014, becoming the top free app in the US app store along the way.
Just like that.
Perhaps the game’s old-school, pixellated design and inherent simplicity brought in just enough users to bring it to critical mass and make it a runaway success?
All you do is keep tapping the screen to keep the bird’s wings flapping, guiding it up and down through an urban obstacle course of industrial pipework.
Cynical observers suggested that the game’s success had a smell of orchestrated fake reviews about it, sufficiently subtle to evade Apple’s App Police, but suggestive enough to cause the game’s overnight fame.
But whatever took the game to the top, it did get there, and it was popular.
Indeed, just six days ago, the game’s creator was profiled by a US media outlet under the headline “Indie smash hit ‘Flappy Bird’ racks up $50K per day in ad revenue.”
That’s more money even than a top Premier League footballer’s so-called wages!
But three days later, game creator Dong Nguyen abruptly announced he was pulling the game from the App Store and the Play Store, tweeting, “I just cannot take this anymore.”
And that was that.
Except, of course – as SophosLabs researcher Andras Mendik chuckled to himself at the time – that celebrity news like this is just the sort of thing that draws people into risky, or at least peculiar, behaviour online.
We’ve certainly seen peculiar behaviour following the death of Flappy Bird, such as this chap in the UK, who’s hoping to get twice the as-new price for his iPhone 5s on eBay, on account of it having a RARE Flappy Bird installed:
(The word RARE, capitalised no less, seems a strange choice to describe a game that was discontinued because it was far too prevalent.)
And, as Andras expected and soon noticed, the malware crooks muscled in, too, offering infected versions of Flappy Bird in alternative Android markets.
Allowing “off-market” app installs is a non-default option, and it produces a fairly stern warning from Google if you try to activate it:
But, like writers, musicians and artists whose popularity surges when they die, Flappy Bird enjoyed a bigger-than-ever viral marketing boost upon its demise.
So it’s possible, even likely, that otherwise conservative users have been turning on the “unknown sources” feature so they can take a belated look at what the Flappy Bird fuss is all about.
Here’s one of the malicious variants Andras found:
As you can see, it looks just like the real thing on the surface, with the same name and icon. But if we dig into the permissions of the original app, and compare them to the imposter, you’ll quickly see what’s changed.
→ Below, we’re using the Privacy Advisor feature in Sophos Anti-Virus for Android, which helps you evaluate the permissions of an app at any time, most usefully before you first run it, or after an update. Note that Sophos detects this app as Andr/VietSms-T, so we deliberately had to bypass the malware warning that came up. We have artificially extended the “fake” screenshot vertically to fit in more detail.
The genuine application asks for network access (it serves ads), but not much more:
But the imposter wants as much as it can get, notably including the right to send SMSes for you:
Here’s the sort of behaviour you can expect from the malicious version of the game.
Remember that the original Flappy Bird was free, with no trial period or money to pay: the author made his money through ads presented by the game, not by selling the app.
The imposter pretends to be a trial version that has expired; all you need to do is send an SMS to reactivate it:
That’s a premium-rate SMS account, and you do get a warning – most users, we assume, will be rightly suspicious by now:
If you get this far, you should uninstall the app immediately, not least because of other malicious activities it might do later.
Don’t rely on the app to get anywhere from here. For example, if you decide not to send the SMS and not to use the app, it offers to exit, as you might expect:
But it doesn’t exit at all.
The app screen disappears, but the software keeps running in the background, as you will see if you click “Yes” to exit and then go to the list of recent apps:
What to do?
Don’t get sucked into this sort of trick, even if you missed out on Flappy Bird when it was alive and you are determined to find out what the fuss was about:
- Be wary of apps from alternative markets. If you are in doubt, leave your device in its default setting so it doesn’t allow you to install apps from unknown sources.
- Use an Android security and anti-virus program, like the one from Sophos. (It’s free, there is no registration, and you get it in the Play Store.)
- Use a tool like the Sophos Privacy Advisor to review the sort of behaviour you can expect from new apps. If you are in any doubt, try a different app, or ask the vendor for an explanation of the permissions needed.
And with that, there’s just one thing left to say.
We’re sorry, but you’re too late: Flappy Bird really is dead.
 |
 |
I know of plenty credible sources to get the app… This article is kinda sensationalist Paul :/ Please don’t get that way!
Hmmmmmm. I hear you, but I think calling it “sensationalist” is a bit, ah, sensationalist.
The owner of the app’s intellectual property has withdrawn it from distribution. Done, dusted, game over. So it’s fair to say there *are no credible sources* to get the app, or at least no legitimate ones. Anyone hosting it, even in its original and unmodified form, is doing so unlawfully, as far as I can see.
The problem is that lots of people probably back themselves to find “a genuine pirated copy” somewhere on the internet. This article is meant to show a practical example of what can go wrong when you do that sort of thing, with this or any other app that you are determined to get via alternative, unofficial means.
I think if I were going to be sensationalist, I wouldn’t have said, “most users, we assume, will be rightly suspicious by now” at the point where the SMS prompt appears. I’d have played up the risks instead, surely?
Flappy Bird is an intriguing story. (Actually, now I think about it, it’s a sensational story, and can hardly be told any other way.) The guy’s game suddenly appeared in the sky from somewhere to to the left of left field, yet after a couple of weeks, he allegedly gave up $50,000 a day because he couldn’t take it any more!
Surely I’m allowed to weave *that* into an article/fable/parable about how to protect yourself from dodgy behaviour from pseudo-undodgy Android apps 🙂
I’m in 100% agreement, Paul. I wonder if it would be beneficial to publish the md5 hash on the non-malware addled APK file. I realize this is problematic because as you say, the game’s creator willfully pulled the game (I’m the author of the exhaustive Mashable story you linked to in your post — thank you for that, by the way), but seeing as the game’s popularity isn’t waning — and if malware continues to rise — would that be erring towards the side of public safety, to reveal that information?
I’m primarily an iOS user and I never bothered to download the game on my Android devices, so I can’t 100% verify what APKs are modified or not, otherwise I’d probably add it in as a disclaimer in our coverage of the malware, if only for those savvy enough to seek out an alternative download (and savvy enough to understand the concept of an md5 hash and a checksum utility).
“If you really want to pirate the game, here is how to do so properly.”
(Since I can’t download an official copy of the official current version of the game any more, and I didn’t have it installed when it was discontinued, how would I be sure that what I’d just downloaded was the official and genuine article anyway? 🙂
I’ll stick to what I said in the article. You are too late: Flappy Bird is dead.
Nothing to see see. Move along.
Pah. Who am I kidding?
The APK that I used as my “clean sample” (note my weasel words, and weasel-air-quotes) to make the animated GIF in this article had a SHA-1 of:
9f472383aa7335af4e963635d496d606cea56622
My high score was 1. (See video above.)
I believe that when the permission list on the game got to the part about being able to read,modify,or delete text messages without showing them to me,I would choose to Uninstall.
The bird is clearly not the word here. There should be a way to notify customers of an app’s discontinuation so they are less likely to install a bogus app.
In this case, if you downloaded the app from Google Play, it’s still there and can still be downloaded. For everyone else, I think it’s these types of articles – as well as the truly global coverage of the game and its discontinuation — that should be the alert for those who are trying to seek it out.
I find teaching by example is a positive endeavour and that is why I appreciate the way you present your material.
I do wonder how many non-malicious apps are out there with unnecessary permission requests. Permissions that were set up during application development but no longer needed. Or ones that got included simply from a cut and paste cloning from a previous application.
Being a newbie to the Android world I was curious if there was any way to install an app and yet hobble its invasive permission requests.
The privacy manager on the Cyanogenmod distribution of Android works wonders 🙂
Think it might be on later versions of Android normally, but I’m not too sure about that. And it will depend on your vendor/phone.
It very much depends on the app. Some apps will let you say “no” to certain provisions and still use the app, but many others do not because they need those permissions to run.
It’s not uncommon for legitimate apps to ask for more permissions than necessary — you see this especially with newer developers who don’t know better or realize they can do what they need to do without asking for permission to more data. Still, after the increased focus around app permissions (especially around the time Google changed how permissions were explicitly displayed to the end user both upon installaton and in Google Play), I’d like to think that the developer community is becoming properly educated to what is and what is not appropriate, depending on the app. It’s certainly in all the official Android dev documentation and the better frameworks.
Of course, just because education is out there doesn’t mean everyone learns. Which is another reason articles like this are helpful, so that users can be on alert and developers who might otherwise not know better can be sure to check their apps before publishing.
hi, Is the fake one with malicious malware just on Android Phones or can it be downloaded onto an iPhone? it’s just that my daughter has the original Flappy Birds on her iPad but has a different one on her iPhone. Thank you.
There are no “off-market” sources for iOS apps, unless your device is jailbroken – Apple says, “No.”
So the above article applies to Android only. So far 🙂
didnt like the game anyway, 3 was my highest
I don’t see what the fuss is over this game. My high score was 133, so it’s not that hard.
If people really need to play this game, for whatever reason, there is a 3DS version. I believe its 99 cents and as we’re talking Nintendo, and not a smart device, it would be safe.