A modified version of Mojang’s Minecraft – Pocket Edition contained a Trojan to forcibly send text messages to premium-rate numbers.
Several Russian third-party app stores have made a version of Minecraft – Pocket Edition available to download for a cheaper price than the legitimate game by Mojang, web security firm F-Secure reports. Not only do the scammers receive money for the fake app, but they also use the app to generate SMS messages to premium-rate numbers in Russia, racking up victims’ phone bills.
The Trojanized Minecraft costs €2.50 compared to the actual game’s price of €5.49. Similar malicious applications are usually free. The fake app earns the group/person responsible some cash for each download, but the Trojan generates more money.
“The real game is included, but it has one added permission: android.permission.SEND_SMS and the payment system has been enhanced,” F-Secure told PC Mag. The app uses this permission to send text messages from the phones with the Trojan to “premium-rate numbers” in Russia and signing them up for expensive subscriptions, adding money to victims’ phone bills. Even if the makers of the fake app don’t own the premium-rate numbers, it wouldn’t be unheard of them to make a cut of the money.
Mojang did its homework and coded security measures to prevent Trojans like this one from occurring, but the developers behind the Trojanized app used a tool to successfully hack it. “The original Minecraft includes a check inside the dex code that verifies the signature that has been used to sign the APK [Android application package file],” F-Secure stated. “If it’s not [Mojang’s], the code refuses to run.” Except in this case.
As always pay attention to what you download to ensure you’re getting legitimate software. Some application stores do not vet apps thoroughly.
Source: PC Mag