Flappy Birr Dog on Google Play found to be infected with spyware

Flappy Birr Dog is yet another spyware-related app that was found on Google Play store

Six applications like Flappy Birr Dog were discovered to spread data-stealing malware called MobSTSPY.

There are numerous apps that have been banned on Google Play Store for being infected with malware. Unfortunately, these cases are still apparent as hackers constantly rely on new deceptive techniques while trying to infect Android users. According to the latest reports, security experts found yet another app on the Google Play Store which is infected with spyware and is capable of accessing details about the user like location, communication logs or even account credentials.

Unfortunately, the infected Android app, which is called Flappy Birr Dog, has been downloaded for more than 100 000 times by users from at least 196 countries.^[1] According to the report of Trend Micro, the app and several other apps (Flappy Bird, FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher, etc.) were found to be infected with the ANDROIDOS_MOBSTSPY spyware.^[2]

It is possible that the Google Play store approved these apps because the malicious code was added after the initial upload. As mentioned in the report, these apps waited on the app store several months until they were altered by their creators:

Usually Google enforce more stringent checks for new apps, but as updates are made to the app over time and they are proven not to be malicious from the offset, the level of checking may be reduced.

The functionality of the info-stealing malware MobSTSPY includes the collection of private information

After the initial installation of the application, the MobSTSPY malware runs on the system and checks the network, connects to the C&C server^[3] and starts collecting information about the infected device. According to the details of the manufacturer and country, the virus decides on the later malicious behavior.

Since this spyware can launch different commands and functions, it is possible that the attackers are focusing on different techniques based on the particular target. MobSTSPY can do the following tasks:

• access SMS messages;
• steal data like screenshots, audio recordings;
• access WhatsApp information;
• gather credentials by using additional phishing attacks.^[4]

Additionally, this application can create fake messages from social media or other platforms to steal victim's account logins. Fake pop-ups from Facebook or Google can ask you to type your username and login to the account, but the minute you enter the needed information, malware actors steal those details for their following purposes.

This application can create fake messages from social media or other platforms to steal your account logins. Fake pop-ups from Facebook or Google can ask you to type your username and login to the account, but the minute you enter the needed information, malware actors steal those details for their later purposes.

These pop-ups appear out of nowhere and attempt to get users' account logins and passwords. The window suggests users log in to their account, but when you enter your credentials, the message will state about unsuccessful login. Although, your account information is already gathered and stolen.

Data-stealing malware has been distributed in more than 196 countries

Applications that distribute info-stealing malware was probably updated after the upload to the Google Store, and after that, the main six apps discovered in the investigation were downloaded by at least 100 000 users. Android malware was widely distributed to a large part of the world. Top countries with the most affected users:

• India;
• Russia;
• Pakistan;
• Bangladesh;
• Indonesia;
• Brazil;
• Egypt;
• Ukraine;
• Turkey;
• The United States.

During this research, TrendMicro discovered six applications that distributed the malicious MobSTSPY^[5] around the globe: Flappy Birr Dog, Flappy Bird, FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher. All those apps should be removed from your device, and you need a full system cleaning if you want to avoid additional virus damage to the system.