Google Play card-game app steals Viber images and video
Tue 28 Jun 2016
Researchers from Symantec have identified a game-related app on Google Play that is in fact malware capable of searching a user’s smartphone for media related to the Viber messaging and video app – and sending it to a remote server.
The app, called Beaver Gang Counter [cached], purports to keep score for a popular card game, but surreptitiously searches several standard directories which Viber uses to store images and video. These include “/viber/media/Viber Images” and “/viber/media/.converted videos” (screenshot below of the code found by Symantec within the app).
The researchers note that the malicious app employs the growing trend of time-delayed attacks; Beaver Gang Counter queries its C&C server to ask if it should collect files from the designated folder for sending on. This effectively takes the app in and out of ‘possum mode’, helping it to hide from security analysis procedures, and – Symantec speculates – even from Google Play’s own app-vetting services.
Symantec has identified this particular threat as Android.Vibleaker. Its short career path began on 22nd June, and it has now been removed from the Google Play store.
For a card-counting app, it has a typical raft of unusual permissions requests, including reading from external storage, accessing information about networks and the current state of Wi-Fi connection, and to read and write to system settings (presumptive requests which the Chinese would take a dim view of).
One aspect that the report does not address is the curious and marginal nature of the host app – and the possibility that malware releases of this nature might be aimed at a single and particular individual, rather than anticipating viral take-up and subsequent data abuse.
Viber has avoided the raft of high-profile hacks which have beset so many popular messaging and communications apps over the last two years (despite suffering a website defacement allegedly by the Syrian Electronic Army), and to consolidate this introduced full encryption into the app in April of this year.