An Android game called “Scary Granny ZOMBYE Mod: The Horror Game 2019”, is actually a nasty user data-stealing malware that will silently exfiltrate everything while you are playing it. The game is available through various channels including the Google Play Store from which it was removed two days ago, but not before it managed to accumulate 50,000 installations. The particular creation is not your average tricky malware app, but a very persistent, well-hiding and deceiving creation.
First of all, it’s not a fake game, so you get to play it. Secondly, its malicious behavior isn’t initiated right away but only after 48 hours after the installation occurs. Moreover, the app checks the Android OS version that it is running on, and if it is a recent one it won’t do anything damaging, probably because newer Android versions are capable of flagging its behavior as suspicious. Then, there is the persistence of its app that won’t get suppressed when the game is closed, and not even when the device is restarted.
So what does it do in the background exactly? First, it pushes well-made full-screen phishing forms to steal victims’ Google usernames and passwords. Once the credentials are stolen, the app gets access to the compromised account and bags all recovery emails, recovery phone numbers, birthday, verification codes, cookies, and tokens. For this, the malware uses the app’s in-built browser, but nothing is shown in the foreground. The app is not only trying to steal Google accounts, however, as some samples come with a Facebook stealing package.
Moreover, the Scary Granny malware is pushing ads like regular Android adware but does so after disguising them to look like they came from other apps. Another way it's creators deploy in order to make money is by selling the game for a hefty $22, but this isn’t clearly communicated to the user. Even if the user chooses the “Free Trial” they get a pre-populated PayPal payment page. Of course, free or not, it won’t make a difference in what you’ll end up having installed on your phone.
All that said, wondering how this app got through Google’s checks and found its way inside the Play Store is a reasonable query that we really can’t provide an answer to. Thankfully, Wandera caught this app and reported it to Google before that installation number grew to an even larger figure.
Do you trust apps that are in the Play Store, or do you use a mobile security application to spot suspicious behavior? Let us know in the comments below, or help us spread the word about this app by sharing this post through our socials, on Facebook and Twitter.