Trojanized Flappy Bird Wings Its Way to Android

Photo credit: Tanjala Gica/
Photo credit: Tanjala Gica/

Flappy Bird gives users the ability to fly a pixelated, crude little bird across an obstacle course in classic 80s-style gaming fashion – sort of a stripped-down version of Mario Bros. only with no princess at the end. Even as it hit the top of the “free app” charts in both the App Store and Google Play, Vietnamese developer Dong Nguyen last weekend decided to yank the game, tweeting, "I cannot take this anymore." He was apparently concerned about the app’s ill effects on the public. He told Forbes that it was supposed to occupy people for a few minutes, but instead became "an addictive product. I think it has become a problem."

He could have a point: despite its simplicity, Flappy Bird had 50 million downloads and an average four-star rating from more than 543,000 reviews in the Apple App Store and 228,000 on Android (most of them humorous and tongue-in-cheek). And after it was pulled, hundreds of phones with Flappy Bird installed appeared for sale on eBay – racking up huge bids. The news wires have been alive with requiems for the app. Sesame Street and the band Fall Out Boy have even released homage apps – dubbed Flappy Bert and Fall Out Bird, naturally.

So it’s no wonder that amid the end-of-days frenzy malware developers have seen an opportunity.

Accordingly, “we found a bunch of fake Android Flappy Bird apps spreading online,” said Trend Micro, in a blog. “Especially rampant in app markets in Russia and Vietnam, these fake Flappy Bird apps have exactly the same appearance as the original version.”

Except these versions are premium service scams – apps that send text messages to premium numbers owned by crooks, who then charge victims’ phone bills for the messages and pocket the proceeds. The fake Flappy Bird app asks for permission to read and send text messages during installation, a clue to users because that wasn’t required in the original version. The texts sent also give the attackers the phone number, carrier and Gmail address registered in the device, opening the door for follow-on phishing attacks and the like.

Some versions also ask for the user to pay for the game.

“While the user is busy playing the game, this malware stealthily connects to a C&C server through Google Cloud Messaging to receive instructions. Our analysis of the malware revealed that through this routine, the malware sends text messages and hides the notifications of received text messages with certain content”, Trend Micro wrote.

As always, Android users should be wary of downloads from third-party app stores. “Cybercriminals are constantly cashing in on popular games (like Candy Crush, Angry Birds Space, Temple Run 2, and Bad Piggies) to unleash mobile threats,” the firm said.

What’s hot on Infosecurity Magazine?