The inevitable has happened, as it tends to do. Since the developer of Flappy Bird, Dong Nguyen, removed the incredibly popular mobile game from Google Play and the Apple App Store, fake Flappy Bird malware is running amuck in its place.
Flappy Bird is, or was, a retro-style scrolling game that soared to stardom almost overnight and disappeared just as quickly. On February 5th there was speculation that the Flappy Birds app was netting $50k per day in ad revenue for Nguyen. Three days later Nguyen posted the following via twitter:
True to his word Nguyen removed the game from both the Apple app store and Google Play, and people on Twitter lost their sh!t. There were an alarming number of threats directed at Nguyen, a quick P.S.A.: get a grip people.
Smartphones with the Flappy Bird game installed are currently available on eBay with mind boggling asking prices of $800-$900+. From a financial standpoint you're out of your mind if you purchase one of these devices to play Flappy Bird. From a security standpoint, it is equally as certifiable to purchase and use one of these devices without taking precautions. Used smartphones can so easily be infected with malware. If you purchase a used smartphone always, always, always restore it to factory settings when you receive it. Smartphones these days store too much sensitive information for users to be negligent of possible malware.
So you missed out on Flappy Bird while it was available on official app stores, and have two brain cells to rub together and have decided not to pay the ransom on eBay for a smartphone with Flappy Bird installed. What can you do?
Well, you can play Flappy Bird in your bowser or, alternately, Sesame Street has released an in-browser game called Flappy Bert which, I must say, puts up some solid competition. There are also some very good alternatives to Flappy Bird in the Apple app store (Splashy Fish), and on Google Play (Clumsy Bird).
What you shouldn't do is search Google for Flappy Bird and start downloading applications willy-nilly.
This Flappy Bird scenario has malware developers salivating over hordes of easy prey: a popular application is very publicly removed from all official app stores by the developer. Now massive amounts of smartphone users are scouring previously unfamiliar places looking for a taste.
Overnight Flappy Bird malware was developed and published and, at a quick glance, looks very much like the real thing. The fake Flappy Bird malware uses the same name and icon in the app menu as the original game.
But the telltale signs of a malicious application are there. The original Flappy Bird app requested few permissions, but the malicious version requests the ominous SEND_SMS permission. When the fake Flappy Bird application is launched a popup box states that the "Free Trial" period has ended and encourages the user to send an SMS message to activate the full version of the app.
The "activation" messages sent from this malware will result in premium SMS charges being placed on every victims' phone bill. Often premium SMS service charges are recurring and cost about $10. Charges add up very quickly and in a year each victim may pay $120 for a "free" game. When the earnings are added together the result is an incredibly profitable piece of malware.
But I hear you say, "well I would know if I signed up for some kind of paid service." You might, but the Flappy Bird malware will certainly do its best to go undetected. By law, premium messaging services must notify users of a sign up. But the Flappy Bird malware, like many SMS Trojans, will intercept all messages from the premium service number and block them from being delivered to the device.
Flappy Bird malware is sneaky stuff, malware almost always is. Malware developers follow the trends to quickly exploit the largest number of people possible. Already this year malware has exploited the Winter Olympics in Sochi and the World Cup in Brazil. Keep the following security tips in mind when surfing the web from a smartphone, tablet, or personal computer.
- Install and use antivirus software on your device and stay current with the latest updates. Antivirus updates are designed to defend against the newest malware.
- Stay current with application, software, and operating system updates as well. These updates often include patches for newly discovered security vulnerabilities.
- Review applications and software before download. Read user reviews and look for an alternate web presence such as developer website, social media accounts, and customer support contact information. Failing to find an alternate web presence is a bad sign.
- Trust your instincts; don't download anything that seems too good to be true.♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:James@ArmorforAndroid.com; Twitter:@James_AfA