Thanks to András Mendik of SophosLabs in Sydney for the information in and the idea for this article.
Chances are, you've heard of Flappy Bird.
It is, or perhaps was, a simple yet addictive game available on iOS and Android that took the world by storm.
Flappy Bird's story is strange, perhaps even controversial.
After languishing in Apple's App Store for several months, with few downloads and fewer reviews, it suddenly shot up the charts, clocking thousands of reviews and millions of downloads per day in January 2014, becoming the top free app in the US app store along the way.
Just like that.
Perhaps the game's old-school, pixellated design and inherent simplicity brought in just enough users to bring it to critical mass and make it a runaway success?
All you do is keep tapping the screen to keep the bird's wings flapping, guiding it up and down through an urban obstacle course of industrial pipework.
Cynical observers suggested that the game's success had a smell of orchestrated fake reviews about it, sufficiently subtle to evade Apple's App Police, but suggestive enough to cause the game's overnight fame.
But whatever took the game to the top, it did get there, and it was popular.
Indeed, just six days ago, the game's creator was profiled by a US media outlet under the headline "Indie smash hit 'Flappy Bird' racks up $50K per day in ad revenue."
That's more money even than a top Premier League footballer's so-called wages!
But three days later, game creator Dong Nguyen abruptly announced he was pulling the game from the App Store and the Play Store, tweeting, "I just cannot take this anymore."
And that was that.
Except, of course - as SophosLabs researcher Andras Mendik chuckled to himself at the time - that celebrity news like this is just the sort of thing that draws people into risky, or at least peculiar, behaviour online.
We've certainly seen peculiar behaviour following the death of Flappy Bird, such as this chap in the UK, who's hoping to get twice the as-new price for his iPhone 5s on eBay, on account of it having a RARE Flappy Bird installed:
(The word RARE, capitalised no less, seems a strange choice to describe a game that was discontinued because it was far too prevalent.)
And, as Andras expected and soon noticed, the malware crooks muscled in, too, offering infected versions of Flappy Bird in alternative Android markets.
Allowing "off-market" app installs is a non-default option, and it produces a fairly stern warning from Google if you try to activate it:
But, like writers, musicians and artists whose popularity surges when they die, Flappy Bird enjoyed a bigger-than-ever viral marketing boost upon its demise.
So it's possible, even likely, that otherwise conservative users have been turning on the "unknown sources" feature so they can take a belated look at what the Flappy Bird fuss is all about.
Here's one of the malicious variants Andras found:
As you can see, it looks just like the real thing on the surface, with the same name and icon. But if we dig into the permissions of the original app, and compare them to the imposter, you'll quickly see what's changed.
→ Below, we're using the Privacy Advisor feature in Sophos Anti-Virus for Android, which helps you evaluate the permissions of an app at any time, most usefully before you first run it, or after an update. Note that Sophos detects this app as Andr/VietSms-T, so we deliberately had to bypass the malware warning that came up. We have artificially extended the "fake" screenshot vertically to fit in more detail.
The genuine application asks for network access (it serves ads), but not much more:
But the imposter wants as much as it can get, notably including the right to send SMSes for you:
Here's the sort of behaviour you can expect from the malicious version of the game.
Remember that the original Flappy Bird was free, with no trial period or money to pay: the author made his money through ads presented by the game, not by selling the app.
The imposter pretends to be a trial version that has expired; all you need to do is send an SMS to reactivate it:
That's a premium-rate SMS account, and you do get a warning - most users, we assume, will be rightly suspicious by now:
If you get this far, you should uninstall the app immediately, not least because of other malicious activities it might do later.
Don't rely on the app to get anywhere from here. For example, if you decide not to send the SMS and not to use the app, it offers to exit, as you might expect:
But it doesn't exit at all.
The app screen disappears, but the software keeps running in the background, as you will see if you click "Yes" to exit and then go to the list of recent apps:
What to do?
Don't get sucked into this sort of trick, even if you missed out on Flappy Bird when it was alive and you are determined to find out what the fuss was about:
- Be wary of apps from alternative markets. If you are in doubt, leave your device in its default setting so it doesn't allow you to install apps from unknown sources.
- Use an Android security and anti-virus program, like the one from Sophos. (It's free, there is no registration, and you get it in the Play Store.)
- Use a tool like the Sophos Privacy Advisor to review the sort of behaviour you can expect from new apps. If you are in any doubt, try a different app, or ask the vendor for an explanation of the permissions needed.
And with that, there's just one thing left to say.
We're sorry, but you're too late: Flappy Bird really is dead.