Wandera’s threat research team identified the malicious app on the Google Play Store. The app fools the Google Play Store’s rigorous security checks, “by using time-released malicious behavior, by using package names that closely resemble legitimate ones, and by being a fully functioning game, the game evaded suspicion and known red flags.”
Once it gets installed to the device, the app doesn’t start the infection process immediately; it stays calm for days before the malicious activity is triggered.
The app also targets victim’s based on the device operating systems, if the latest version of Android OS installed, it doesn’t perform any malicious activities, if it is an older version, then the malicious activity will get initiated.
On the infected victim device it popup’s fake notification asking the user to update Google security services, upon clicking update it presents a fake Google Login page and tricks victims into stealing passwords.
If the user enters the credentials, then it extracts additional information, including Recovery emails, Recovery phone numbers, Birthday, Verification codes, Cookies, and tokens. The app is also capable of launching itself after device reboot.
Based on Wandera analysis, the persistent ads displayed by the Scary Granny app opens the fake applications of the following service that includes Amazon, Facebook, Facebook Lite, HaGo, Hulu, Instagram, Messenger, Pinterest, SnapChat, TikTok, and Zalo.
“The app profits in two main ways: by trying to get the user to pay for the app, and by using ad networks. Upon installation, the game asks the user to pay for the game or to do a free trial. When the user selects the free trial, the app loads a pre-populated PayPal payment page for £18 ($22),” reads the blog post.
The apps download rate jumps from 1,000 to 50,000 within three weeks, and the game has a 4-star review. The malicious app has been taken down from the play store on June 27.