Parrot Copter and Viking Jump apps hide malware in Google Play

Thanks to Anna Szalay of SophosLabs for her behind-the-scenes work on this article.

Security researchers at Check Point blogged earlier this week about an Android malware family they dubbed the Viking Horde.

The name comes from one of the apps in the bunch, a game called Viking Jump.

The game looks vaguely interesting at first sight, like an eclectic variant of Flappy Bird with Dark Ages helmets and swords set in America some time before European settlement:

As far as we can tell, however, the game is as good as unplayably useless, and serves merely as a basic visual “cover story” that justifies having an app at all.

Nevertheless, Viking Jump had racked up more than 50,000 downloads by the time Check Point looked at it, only to find that it had a lot more behind its smokescreen of recklessly leaping Scandinavian warriors lost in time.

The app serves as a vehicle for a range of malware components, including the ability to download additional executable code; to reactivate the malware if you try to uninstall the app; and to activate a web proxy (web interceptor) to keep track of and modify your browsing.

Hidden web proxies that can be controlled remotely can be used for a range of crooked activities, from surveillance and data theft to ad-click fraud.

Inside Viking Jump

On decompiling the app, some of the added code modules might pique the interest of security researchers, such as Stephen Ericson’s RootShell component:

Stericson is a well-known developer in the Android ecosystem, perhaps best known for his Busybox port that brings a raft of handy Unix command line tools to your phone.

Developers, Android hackers and other enthusiastic tinkerers probably know Stericson’s name well, but you wouldn’t expect to see RootShell, no matter how handy it might be for an Android rooting enthusiast, in a game of the Viking Jump variety.

That warning sign, however, wasn’t enough to stop this and numerous other apps with similar malicious content getting through security verification and into the Google Play Store.

Other malicious apps included the much cooler looking game Parrot Copter (we admit we haven’t tried it), an app claiming to be a Wi-Fi strength meter, and Memory Booster (that one is supposed to optimise your phone’s RAM, not to train your brain).

The other apps, fortunately, were a bit of a flop for the crooks: they clocked up 1000-5000 installs each on average, with Parrot Copter apparently ending up with in the lowest possible Google Play category, with just 1-5 users.

Cleaning up Google Play

The point is, though, that no matter how unpopular a malicious app might turn out to be, malware isn’t supposed to make it into Google Play in the first place.

Check Point reported the offending files to Google last week (2016-05-05), but SophosLabs found that Viking Jump was still available yesterday (2016-05-10).

Ironically, that was the app with the most credibility, given its installation count.

So, we decided to report it as well, presumably along with other researchers surprised by Google’s slow response after Check Point’s article.

The good news is that Viking Jump has now been removed.

From the rather unfinished look of the app, with some malicious-looking components added to the app but never called, it’s possible that the crooks were more interested in the verification process than in the malware infections that ultimately resulted.

For all we know, they may have been carrying out tests to see what sort of coding tricks would get caught, and which would slip past Google’s verification, as part of a “learning how to game the Play Store” process.

What to do?

Even though Google Play was found wanting in this case, we still strongly recommend that you stick to it as much as you can.

Even if Google Play sometimes contains malware, there has historically been only a tiny fraction compared to some of the “off-market” download sites out there, some of which seem to pride themselves on being unvetted, unverified, uncensored and frequently unsafe.

So, our three primary tips for Android app security are:

  • Install patches for your device as soon as they are available. (Sadly, for some devices, that’s rarely or never.)
  • Use a product such as Sophos Free Antivirus and Security to keep an eye out for malware, dodgy websites, adware and other potentially unwanted apps.
  • Turn off Allow installation of apps from unknown sources in the Android security settings if you can.

And, remember, if there’s an app you like but you’re in any doubt, why not just leave it out?