Apex Legends for Android: a Fake App could Compromise your Smartphone

Introduction

At the beginning of 2019, Electronic Arts released a game for PC, XBox One and Playstation 4 named Apex Legends. It is a battle royal game like Titanfall and Fortnite, the latter is the direct competitor in the battle royale gaming panorama.

The game has achieved great success in the gamers community with 25 million of players since its launch and in a few days it exceeded his closest competitor in terms of online gamers. The popularity of this game and its absence on the Android Play store, have attracted the attention of many malware writers who had exploited these opportunities to spread their malicious version for Android. Similar cases has been registered with Fortnite game.

In the following report, the Yoroi ZLab – Cybaze researchers analyzed this latest emerging threat.

Technical analysis

Yoroi-Cybaze ZLab researchers found four different fake android APKs related to Apex Legends game. All of them have been downloaded from untrusted sources available on the clearnet. Malware authors created well-designed fake web pages, replicating all the graphics of the game misleading the user to download the app, as shown in the following image:

Figure 1:fake/phishing Apex Legends web page

An example is “hxxps://apexhack[.]site/”, from which the researchers downloaded one of the samples. As shown in the above figure, the malicious website hosts both the Android and IOS version of the fake app, but only the Android one has been taken into account for this analysis. In the following tables, the information about the retrieved samples is shown.

Sha 25638dc9d141c3eb9ce7a6ccf4851d18f73a539de9c7940c7b22f51dab15557a189
ThreatApex Legends for Android
Brief descriptionFake Apex Legends application not available on Android’s play store (4.61 MB)
Ssdeep98304:q6iX/A6ojBzHgIa7ntMVgGNt4/WViBQtRQjr4jrTjrxjrUjrd:PiPArlaRMnNt4/WViBIQj0jfjFjwjp

Table 1: information about first fake android app

Sha 256198477234b7f7d5d694c1b00dd77bc260e850750c94f9afb2409afa93665c890
ThreatApex Legends for Android
Brief descriptionFake Apex Legends application not available on Android’s play store (36.38 MB)
Ssdeep786432:WwO6h1yOFPijc2rPvre5BirSnC4Uu8Wt8tHH/rJ0IuMxLvjb:Z/kzrewI8tHfN00rb

Table 2: information about fourth fake android app

Sha 256d0a0fec1a81735df80b3ffb7ef61ce2d6c9fbea8877a86da10557a41fbfa817b
ThreatApex Legends for Android
Brief descriptionFake Apex Legends application not available on Android’s play store (17.71 MB)
Ssdeep393216:DYPdYhEvt/d+iJap4TIT4z2Y/ObXRWNiBGMnCP1Z74HGpPA9qxkyqGds:sPdYhEvt/d+PH4qPTwNTR49q+Kds

Table 3: information about second fake android app

Sha 256c63c1f01485427eb62e8a3baf3fd016eccf9ca245551b234c60b1c64d8c3c782
ThreatApex Legends for Android
Brief descriptionFake Apex Legends application not available on Android’s play store (808.11 KB)
Ssdeep12288:DTG9sGlIrK7ZqC9HDrSYoNQfuhhLaD26C9XgqRCIlNE8Z6GvhZt:DMsoIrKIC9HSYo6Wh5aDnG5ZJ

Table 4: information about third fake android app

Despite the usage of Apex Legends references, the first two applications do not contain a real malware, but their main purpose is to obtain an economic return through Google Mobile Ads SDK. Indeed, exploring the apk’s internals, it is possible to notice the packages related to Google Ads.

Figure 2: Google Ads structure in one of two sample after reverse

These apps are not very interesting, so they will not analyzed in-depth. More attention is required for the third and fourth sample (Table 3 and Table 4).

Sample 3

The third sample is an attempt to hijack the user towards a phishing site. When the app is running, it shows an Apex Legends video and, then, the application prompts the user to press the “OK” button in order to verify the EA Mobile Account.

Figure 3: popup required by app to verify EA mobile account

Reversing the apk, only one useful class emerges which clearly shows the link pointing to the phishing service.

Figure 4: URL where is hosted a phishing web page.

After the user taps on the button, the fake app opens a phishing web page inviting him to subscribe to some services, specifying his personal details and the credit card number.

Figure 5: phishing web page provided by URL cited above.

Behind the URL “www.areyouabot[.]net” there is a well-known malicious site, active since 2016, and related to a huge phishing network, in which also some URLs related to fake MS Office pages are present.

Figure 6. Another URL related to www.areyouabot[.]net site.

Despite the phishing website is well-known, at the time of writing, the application has a medium detection rate, as shown in the following figure:

Figure 7. Third sample’s detection rate

Sample 4

This app has the smallest size because it does not provide any videos or media resources. Despite its dimensions, this is the only apk that shows a spyware behavior. So, many anti-malwares detects it.

Figure 8: AV detection rate for the sample reported in table 4

Further confirmation of the malicious behavior is provided by the long list of required permissions, necessary to perform its operations. In the following figure is shown a complete list of permissions required by the application.

Figure 9. Complete list of required permissions

After a reversing phase, it is possible to analyze the malware source code in-depth.

Figure 10: structure of malware

It is easy to reconstruct the malware’s behavior because the author did not use advanced anti-analysis techniques. Only the class names are re-written using a single letter names in order to make the code analysis hard, probably a packer was used. Digging in the apk’s manifest, it is possible to notice that the main class is located in “yps.eton.application.M”.

Figure 11: Main activity visible in Android Manifest provided by application

When started, the malware uses a simple trick to stay hidden to the user, in fact, it removes its icon from the Home Menu, then it registers a new service to intercept the events happening into the device. The service registration is visible in the following image:

Figure 12: creation of service

The icon removal is done, as usual, using the “setComponentEnabledSetting” method, specifying some values as parameters:

k = 2 = COMPONENT_ENABLED_STATE_DISABLED<br>
m = 1 = DONT_KILL_APP
Figure 13: removal of icon application

So, when the user taps on the back button, the icon is hidden and the real behaviour of malware will be performed through the service. The service core is represented by the “A” component which includes some different inner class inside of it.

Figure 14. Part of “A” class used to retrieve info about the infected device

Most operations are performed by “A” class, but there are other classes involved in specific tasks, i.e. the “C” class is used to trace the inbound and outbound phone calls.

Figure 15. Part of “C” class.

Due to the absence of the icon, the user does not care about the presence of the malicious service, which continues to perform its actions in background. Otherwise, inspecting the installed services through the Settings Menu, it is easy to detect the malicious one.


Figure 16. Settings view reporting the fake Apex service.

After collecting all the information about its victim, the spyware sends them to its C2 located at “krater[.]giize[.]com”. Unfortunately, at the time of analysis the server seems to be down.


Figure 17. Attempts of C2 communication

Attribution

Investigating the package names, it was possible to identify many other fake applications which have spyware behavior too. So, the Apex threat is part of a bigger campaign that rides the wave of the popular games to steal information from passionate gamers, probably related to Fortnite themed samples reported by Fortinet researchers back in 2018.

The similarity between the recent Apex spyware and the old Fortnite one is shown into the following figure, where the same app’s structure emerges.

Figure 18. Comparison between Fortnite and Apex fake apk

Unlike the Apex APK, the fake Fortnite application has been distributed through BitTorrent network via the “ThePirateBay” portal. The use of different channels to spread the samples is the proof that the malware author tried to reach as many users as possible. Anyway, despite the fake Fortnite threat belongs to an old campaign, dated back in 2018, its torrent file is still available online.

Obviously, the only difference between the two APK resides into the resource section. In each campaign the malware author changes icon, video and others media. In the following figure it is possible to notice this difference: on the left there are the Fortnite threat’s resources, including the specific icon, viceversa on the right is possible to see a different icon for Apex apk.

Figure 19. Different resource sections between Fortnite and Apex fake apk

Another evidence the malware author is the same for both campaigns is the e-mail address found in the META-INF file which is always “harsahad.alkaabi96@gmail[.]com”.

Conclusion

Today the malware writers uses the popularity of applications that are not presents on play store to spread their malicious applications. The use of mobile devices has growth in the latest year and many users does not pay attention when downloading an app. The awareness that many of these could be malicious, today, is very low and this is one of the main reason of growth in the number of downloaded apps on mobile device from third parties sources. In this report have been analyzed four fake apps for android found through a search engine. As visible, all of the analyzed apps are malicious and moreover, they are able to steal information in easy way through a simple first interaction provided by users.

The researchers of Cybaze-Yoroi ZLab advise to don’t download s apps from third parties store or sites and verify the presence of the legit app on official store, as EA in this case.

Indicator of Compromise

  • Distribution Sites (sample 1,2):
    • hxxps://apexhack[.]site/
  • C2 (sample4):
    • krater[.]giize[.]com
  • Phishing (sample3):
    • hxxps://www[.]areyouabot[.]net/cl[.]php?id=6bc427be4845f89bda3aae759f91fcf7
  • Hash
    • 38dc9d141c3eb9ce7a6ccf4851d18f73a539de9c7940c7b22f51dab15557a189
    • 198477234b7f7d5d694c1b00dd77bc260e850750c94f9afb2409afa93665c890
    • d0a0fec1a81735df80b3ffb7ef61ce2d6c9fbea8877a86da10557a41fbfa817b
    • c63c1f01485427eb62e8a3baf3fd016eccf9ca245551b234c60b1c64d8c3c782

Yara rules

rule ApexLegends_1_07_03_2019{
	meta:
  	description = "Yara Rule for ApexLegends_sample_in_table3"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_03_07"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = "PK"
    		$b = {B5 7D E3 69 9799 A7 8B E0 44}
    		$c = {80 9B BD F7 AC EE 15 A1 71}
    		$d = {AF 70 0F B6 48 64 98 FA D3 BC 8F}
    		$e = "taptobeginn.mp4"

	condition:
    		all of them
}

rule ApexLegends_2_07_03_2019{
	meta:
  	description = "Yara Rule for ApexLegends_sample_in_table4"
  	author = "Cybaze Zlab_Yoroi"
  	last_updated = "2019_03_07"
  	tlp = "white"
  	category = "informational"

	strings:
    		$a = "PK"
   		$b = {62 B6 72 06 B2 2F B0 85 A2 BD 0B}
    		$c = "00001.9.png"
    		$d = {FD 95 95 B2 73 61 5C DD 05 29}
    		$e = "Atlikta"

	condition:
    		all of them
}

This blog post was authored by Davide Testa, Antonio Farina and Antonio Pirozzi of Cybaze-Yoroi Z-LAB