The trojanized Minecraft PE (Pocket Edition) app works as it's expected, so users might not notice that it is sending text messages to premium rate numbers and is signing them up for pricy services until after they receive the next bill from their mobile operator.
This type of malicious cloning and changing of the Minecraft app should not be possible, as its creators have included a check inside the dex code that verifies the signature that has been used to sign the APK (Android application package). If the check fails, the app does not run.
Unfortunately, the malicious app creators have used Smalihook, a tool for hooking Java functions, to hook to modified functions that tell the device that the malicious app has been downloaded from Google Play, and that the aforementioned signature checks out.
"Smalihook seems to be part of the AntiLVL (Android License Verification Library Subversion) cracking tool. The purpose of these tools is to break license protection systems and they are aimed at developers who wants to test their own protections against common types of attacks," F-Secure researchers shared. Of course, the tool can easily be misused by attackers, as we have witnessed here.
It's also interesting to note that in schemes like this one, the developers of trojanized apps usually offer them for free in order to maximize the number of users who download and install them, and they ultimately get a cut of the profits from the sent SMSes and fraudulently bought services.
In this case, the crooks have opted to earn themselves some money even before the app starts performing its malicious routines. The legitimate app costs 5.49 euros, and they are charging 2.50 euros for they trojanized version.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.