Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization

The McAfee Mobile Research team recently found pirated applications of popular apps distributed on the Google Play store. A pirated app is one distributed usually outside of the official store as a free version of a legitimate app. Paid legitimate applications are leading targets of pirated versions. In this case, however, we found pirated copies being distributed on the official market.

The four pirated apps we found are developed by AE-funStudios, which offers versions of the common tool and games Flashlight, Race Car, Gun Shoot, and Chess. The download numbers of these apps are between 10,000–100,000. We contacted Google about these pirated apps; they were promptly removed from the Google Play store.

How do we know these apps are pirated versions? Let’s look at their structure. The following screenshot shows the pirated version of Chess, com.chess.chessfree.chessboard.chessgame.free.

In this app, we find the file ttttt in the assets folder. The file has no extension, but the format is APK, and in this case is the legitimate app Chess Free from a different developer. The bogus filename is already suspicious.

The pirate app attempts to create a virtual space using the class VirtualCore, installing the legitimate app in the virtualization space, and running it after it launches.

The component com.lody.virtual is a piece of virtualization technology. The virtualization component VirtualApp is published on github as open source. Thus the component itself is not malicious. It is a similar technology to Instant App, introduced from Android 8.0 Oreo that provides a framework for running an application in a virtual space without installation. The component creates a virtual memory space in a local process, and loads and executes an APK file in the memory space.

The pirated app makes the legitimate app in the assets folder behave like a part of the application by using the virtualization component, without installing the legitimate app on the device. Using this framework, the malware author can generate a new Trojan without repackaging (disassembling an app, inserting malware code, and rebuilding it as new package).

However, the virtualization technique is not the perfect framework for all Android apps. Those with diversion protection and complex structures will not run in a virtual space. By applying app protection technology against repackaging, for example, we believe that the risk of a legitimate application being abused will become very low.

Let’s consider the intent of the pirated app’s author. In the following screenshot, it appears the author intends to earn income from mobile app advertisements. From our investigation, however, the current versions of these pirated apps have no mechanisms to display advertisements or to intercept the communications of the related legitimate apps to gain the revenue. Perhaps this feature is under development for future updates.

Another scenario is that the developer of the pirated apps might plan to sell the developer account to a criminal organization because, as one website points out, popular accounts such as those on Facebook and Instagram are traded at high prices in the black market just like banking accounts and personal identity information. The developer account could also be used for malware and spyware distribution. Each application affected by these four pirated apps is very popular, with the number of users between 1 million to 50 million. The pirated versions offer the same functionality as the legitimate apps to attract and retain users looking for original applications.

McAfee Mobile Security detects these pirated apps as Android/PUP.Pirates.C and protects user devices as well as the legitimate developers’ rights. To further protect yourself against pirated apps, download only recommended and popular apps on official app stores, and pay attention to suspicious traits such as odd app titles, user-unfriendly descriptions, low-quality screenshots, and poor user reviews. Also, verify that an app’s request for permissions is related to its functionality.

 

Leave a Comment

seventeen − three =