McAfee Labs recently found a suspicious Android game application hosted on Google Play. The app name is “Kunt u Vang de tovenaar” (“Can you catch the wizard” in ungrammatical Dutch) offered by “AppstoreVN Team.” During our analysis of the app we discovered several suspicious functions during game play.
The first suspicious behavior is the use of a .vn top-level domain (for Vietnam) in the app configuration file apk.properties, although the app title and descriptions on Google Play are based in the Netherlands.
Actually, the website is Vietnam’s Android app market, which hosts many apps including famous and well-known titles such as Gmail, Angry Birds, and Facebook.
The first app in this package is just a downloader for a legitimate game but it contains advertising components. “Cài Facebook” (“Setting Facebook” in Vietnamese) is a downloader application for Facebook that downloads the legitimate app from the Vietnamese market (not from the official Google Play store).
As we always advise, users must be careful about installing apps from untrusted sources. Malicious apps are commonly found in these locations and can lead to device damage or a loss of data.
The second suspicious element of this package is that the app employs Android’s device admin function, which is typically used for remote lock, remote wipe, and handling password policies—a very strong privilege to protect a device, especially if it is lost. On the other hand, ransomware and other malware occasionally abuse this privilege, locking the device to extort money from the victim, as my colleague Lianne Caetano reported in this post.
The on-off status of device admin is reported to the Vietnamese app market by the APKTracker class in the application. It is possible to request “set storage encryption” to encrypt application data based on the app’s device admin policy.
It is not common for gaming apps to require the device admin function. The current version of this app appears to have no harmful behavior, but it’s feasible that future updates could be malicious, and it would be easy for the app to leverage this privilege for some malicious behavior.
Is this just a poorly designed app? Or is this a suspicious app waiting for the opportunity to attack after many users have installed it? McAfee Mobile Security detects this Android threat and informs customers if the app is present, while protecting them from any unexpected incidents.