Spyware for ApexLegends
 
Apex Legends has gain monumental popularity in a very short time. Naturally malware writers are trying to capitalize on this craze by masquerading malicious apps as Apex Legends.

There are already a slew of YouTube related scam videos that claim Apex Legends can be played on Android but the links mentioned in such videos usually lead to Verification Sites which simply try to extract sensitive information from the user via surveys.

One such app goes by the package name - yps.eton.application and MD5: 253489a49d14719a4c29dc0f5e9f9c79. Upon installation this app is visible in the app drawer using an Apex Legends icon:



Upon execution we are directly shown the accessibility screen with an entry for Apex Legends. Normally when a malware needs Accessibility Service, it shows a fake story/reason to the user to enable it. But in this case I did not see any such thing, perhaps this component did not work for me or is not completely in place.



Same goes for Device Admin privileges:



Code examination of the sample reveals that this sample is actually a potent Spyware which has been around for a while. Few key capabilities of this Spyware are as follows:
  • This spyware can extract sensitive information from the device:
    • Device information - Model, brand, serial number and more
    • Information about the SIM - serial number, country name, phone number
    • Contacts information
    • Call Logs
    • SMS present on the device
    • View pictures on the device
    • Find location related data from the device

  • The spyware can perform a number of functions on the device which an Android spyware typically performs:
    • Make phone calls
    • Record audio
    • Send SMS
    • Take photos from the camera
    • Record videos from the camera
    • Record keystrokes (keylogger)
    • Check if the device is rooted
    • Start the spyware each time the device reboots
Few snippets from the code:





It is intersting to note that there are other apps with this package name and a common thing between all these apps is that their application name is similar to that of already popular apps.

This means the malware writer is trying to pass of his spyware as other popular apps:
  • gta san andreas - 0c16c0bf123a9dfa2e89893d603bdd3b
  • facebook - 4ac17f0d86005d7a86a8cd84e5393428
  • whatsapp - 1ea2a445c692c335b721076587d16363
  • Amazon Kindle lite - 2d1a864b1a10c4482f6f555cfb2c3060
  • Gmail - 771d3d5953698956602bfa383ff76bc5
  • Google Play Service - 99d55102d63820edd957ddeacd36f12d
  • baidu - a0aead36e578a6d86918d7afe8695df8
 
 Home