Yoroi -Cybaze ZLab malware researchers have analyzed four different fake android APKs that pretend to be versions of the Apex Legends game.

Introduction

At the beginning of 2019, Electronic Arts released a game for PC, XBox One and Playstation 4 named Apex Legends. It is a battle royal game like Titanfall and Fortnite, the latter is the direct competitor in the battle royale gaming panorama.

The game has achieved great success in the gamers community with 25 million players since its launch and in a few days it exceeded his closest competitor in terms of online gamers. The popularity of this game and its absence on the Android Play store, have attracted the attention of many malware writers who had exploited these opportunities to spread their malicious version for Android. Similar cases has been registered with Fortnite game.

In the following report, the Yoroi ZLab – Cybaze researchers analyzed this latest emerging threat.

Technical analysis

Yoroi-Cybaze ZLab researchers found four different fake android APKs related to Apex Legends game. All of them have been downloaded from untrusted sources available on the clearnet. Malware authors created well-designed fake web pages, replicating all the graphics of the game misleading the user to download the app, as shown in the following image:



Figure 1:fake/phishing Apex Legends web page

An example is “hxxps://apexhack[.]site/”, from which the researchers downloaded one of the samples. As shown in the above figure, the malicious website hosts both the Android and IOS version of the fake app, but only the Android one has been taken into account for this analysis. In the following tables, the information about the retrieved samples is shown.



Sha 256 38dc9d141c3eb9ce7a6ccf4851d18f73a539de9c7940c7b22f51dab15557a189 Threat Apex Legends for Android Brief description Fake Apex Legends application not available on Android’s play store (4.61 MB) Ssdeep 98304:q6iX/A6ojBzHgIa7ntMVgGNt4/WViBQtRQjr4jrTjrxjrUjrd:PiPArlaRMnNt4/WViBIQj0jfjFjwjp

Table 1: information about first fake android app

Sha 256 198477234b7f7d5d694c1b00dd77bc260e850750c94f9afb2409afa93665c890 Threat Apex Legends for Android Brief description Fake Apex Legends application not available on Android’s play store (36.38 MB) Ssdeep 786432:WwO6h1yOFPijc2rPvre5BirSnC4Uu8Wt8tHH/rJ0IuMxLvjb:Z/kzrewI8tHfN00rb

Table 2: information about fourth fake android app

Sha 256 d0a0fec1a81735df80b3ffb7ef61ce2d6c9fbea8877a86da10557a41fbfa817b Threat Apex Legends for Android Brief description Fake Apex Legends application not available on Android’s play store (17.71 MB) Ssdeep 393216:DYPdYhEvt/d+iJap4TIT4z2Y/ObXRWNiBGMnCP1Z74HGpPA9qxkyqGds:sPdYhEvt/d+PH4qPTwNTR49q+Kds

Table 3: information about second fake android app

Sha 256 c63c1f01485427eb62e8a3baf3fd016eccf9ca245551b234c60b1c64d8c3c782 Threat Apex Legends for Android Brief description Fake Apex Legends application not available on Android’s play store (808.11 KB) Ssdeep 12288:DTG9sGlIrK7ZqC9HDrSYoNQfuhhLaD26C9XgqRCIlNE8Z6GvhZt:DMsoIrKIC9HSYo6Wh5aDnG5ZJ

Table 4: information about third fake android app



Despite the usage of Apex Legends references, the first two applications do not contain a real malware, but their main purpose is to obtain an economic return through Google Mobile Ads SDK. Indeed, exploring the apk’s internals, it is possible to notice the packages related to Google Ads.



Figure 2: Google Ads structure in one of two sample after reverse

These apps are not very interesting, so they will not analyzed in-depth. More attention is required for the third and fourth sample (Table 3 and Table 4).



Sample 3

The third sample is an attempt to hijack the user towards a phishing site. When the app is running, it shows an Apex Legends video and, then, the application prompts the user to press the “OK” button in order to verify the EA Mobile Account.



Figure 3: popup required by app to verify EA mobile account

Reversing the apk, only one useful class emerges which clearly shows the link pointing to the phishing service.



Figure 4: URL where is hosted a phishing web page.

After the user taps on the button, the fake app opens a phishing web page inviting him to subscribe to some services, specifying his personal details and the credit card number.

Figure 5: phishing web page provided by URL cited above.

Behind the URL “www.areyouabot[.]net” there is a well-known malicious site, active since 2016, and related to a huge phishing network, in which also some URLs related to fake MS Office pages are present.



Figure 6. Another URL related to www.areyouabot[.]net site.

Despite the phishing website is well-known, at the time of writing, the application has a medium detection rate, as shown in the following figure:



Figure 7. Third sample’s detection rate

Sample 4

This app has the smallest size because it does not provide any videos or media resources. Despite its dimensions, this is the only apk that shows a spyware behavior. So, many anti-malwares detects it.



Figure 8: AV detection rate for the sample reported in table 4

Further confirmation of the malicious behavior is provided by the long list of required permissions, necessary to perform its operations. In the following figure is shown a complete list of permissions required by the application.

Figure 9. Complete list of required permissions

After a reversing phase, it is possible to analyze the malware source code in-depth.



Figure 10: structure of malware

It is easy to reconstruct the malware’s behavior because the author did not use advanced anti-analysis techniques. Only the class names are re-written using a single letter names in order to make the code analysis hard, probably a packer was used. Digging in the apk’s manifest, it is possible to notice that the main class is located in “yps.eton.application.M”.

Figure 11: Main activity visible in Android Manifest provided by application

When started, the malware uses a simple trick to stay hidden to the user, in fact, it removes its icon from the Home Menu, then it registers a new service to intercept the events happening into the device. The service registration is visible in the following image:



Figure 12: creation of service



The icon removal is done, as usual, using the “setComponentEnabledSetting” method, specifying some values as parameters:



k = 2 = COMPONENT_ENABLED_STATE_DISABLED<br> m = 1 = DONT_KILL_APP

Figure 13: removal of icon application

So, when the user taps on the back button, the icon is hidden and the real behaviour of malware will be performed through the service. The service core is represented by the “A” component which includes some different inner class inside of it.

Figure 14. Part of “A” class used to retrieve info about the infected device

Most operations are performed by “A” class, but there are other classes involved in specific tasks, i.e. the “C” class is used to trace the inbound and outbound phone calls.

Figure 15. Part of “C” class.

Due to the absence of the icon, the user does not care about the presence of the malicious service, which continues to perform its actions in background. Otherwise, inspecting the installed services through the Settings Menu, it is easy to detect the malicious one.



Figure 16. Settings view reporting the fake Apex service.



After collecting all the information about its victim, the spyware sends them to its C2 located at “krater[.]giize[.]com”. Unfortunately, at the time of analysis the server seems to be down.





Figure 17. Attempts of C2 communication



Attribution

Investigating the package names, it was possible to identify many other fake applications which have spyware behavior too. So, the Apex threat is part of a bigger campaign that rides the wave of the popular games to steal information from passionate gamers, probably related to Fortnite themed samples reported by Fortinet researchers back in 2018.

The similarity between the recent Apex spyware and the old Fortnite one is shown into the following figure, where the same app’s structure emerges.



Figure 18. Comparison between Fortnite and Apex fake apk

Unlike the Apex APK, the fake Fortnite application has been distributed through BitTorrent network via the “ThePirateBay” portal. The use of different channels to spread the samples is the proof that the malware author tried to reach as many users as possible. Anyway, despite the fake Fortnite threat belongs to an old campaign, dated back in 2018, its torrent file is still available online.



Obviously, the only difference between the two APK resides into the resource section. In each campaign the malware author changes icon, video and others media. In the following figure it is possible to notice this difference: on the left there are the Fortnite threat’s resources, including the specific icon, viceversa on the right is possible to see a different icon for Apex apk.

Figure 19. Different resource sections between Fortnite and Apex fake apk

Another evidence the malware author is the same for both campaigns is the e-mail address found in the META-INF file which is always “harsahad.alkaabi96@gmail[.]com”.



Conclusion

Today the malware writers uses the popularity of applications that are not presents on play store to spread their malicious applications. The use of mobile devices has growth in the latest year and many users does not pay attention when downloading an app. The awareness that many of these could be malicious, today, is very low and this is one of the main reason of growth in the number of downloaded apps on mobile device from third parties sources. In this report have been analyzed four fake apps for android found through a search engine. As visible, all of the analyzed apps are malicious and moreover, they are able to steal information in easy way through a simple first interaction provided by users.



The researchers of Cybaze -Yoroi ZLab advise to don’t download s apps from third parties store or sites and verify the presence of the legit app on the official store, as EA in this case.

Further information, including the Indicators of Compromise (IoCs), is reported in the analysis published on the Yoroi blog.

https://blog.yoroi.company/research/apex-legends-for-android-a-fake-app-could-compromise-your-smartphone/

Pierluigi Paganini

(SecurityAffairs – Apex Legend, malware)

Share this...

Linkedin Reddit Pinterest

Share On