Even more malware outbreak from Chinese fake pokemon online android game

[REDACTED]

Re: trojan.android.agent.ddovzd outbreak from Chinese fake pokemon game https://forum.avast.com/index.php?topic=155727.0
That thread now contain useless data since the game mentioned has been updated. (If possible, please remove this thread due to the fake data.)

Here is the detection of the new version (type of trojan has been changed), plus a few new game that is malicious.
Due to the fact that I saw some of these in Play Store (Hong Kong region), I will show game that are detected by avast as well just to notify others to beware of this.
There is actually more simular apps that is not list here.

Sample 1:
URL: htxp://a.4399.cn/game-id-41755.html
Game name: 去吧皮卡丘(全民宝贝)  [Not official translation: go pikachu (everbody pokemon)]
Virus type: Trojan.Android.Fakengry.dkmmvp / Android:Smsreg-BLC [PUP]
VT: https://www.virustotal.com/en/file/fdabff2f954b4b269e381232c740ab64ac2697ebe40f18f671f3218588195d07/analysis/
Bad history of the game (older version): https://www.virustotal.com/en/file/793d604b737cebc3dc34c632590450ebd2f7ba198656f8446567dc19eed4330c/analysis/

Sample 2:
URL: htxp://a.4399.cn/game-id-42863.html
Game name: 宠物小精灵 M [Not official translation: Pokemon mobile version]
Virus type: Trojan.Android.Fakengry.dkmmvp / Android:Smsreg-BLC [PUP]
VT: https://www.virustotal.com/en/file/7427862d34dc85b88d1b8c8a2814504ea72d2e217b839ba2de3e1acde5970b04/analysis/
Bad history of the game (older version): https://www.virustotal.com/en/file/cfc38043afc676a9bde4b0f71bfeb9eb409f91c5d07e44022717e7b44ae828ef/analysis/
Remark: lol at the fact that baidu detect this chinese app as "hacktool.smsreg.ll" eventhrough this app is made in China. You can see how this is real malware.

Sample 3:
URL: htxp://www.9669.com/wy/kdygfk/index.html
Game name: 口袋妖怪：复刻 [Not official translation: Pokemon: the remake] ***this game is in beta version
Virus type: Trojan.Android.Kuguo.dgtgvx / android.riskware.smspay.n
VT: https://www.virustotal.com/en/file/52d292fce29458ba577c4e44cda17b2f465a963aef8a8fb316be4bda6e2949cd/analysis/1424872972/
Remark: Avast is currently not detecting this app.

Sample 4:
URL: htxp://www.9669.com/wy/chaojijingling3d/index.html
Game name: 超级精灵3D [Not official translation: Super pokemon 3d version] ***this game is in beta version
Virus type: Trojan.Android.Fakengry.dkmmvp / *some bad file rep detection*
VT: https://www.virustotal.com/en/file/6169c36f68f96169cd3bcab977883523b253cae00e60e01e55913a12930f9c4e/analysis/1424875509/
Remark: Avast is currently not detecting this app.

PS: Notice how NANO-antivirus give the same detection of "Trojan.Android.Fakengry.dkmmvp" and some other detection remain the same inbetween the different games. May be there is the same thing used by developer that is actually malware and avast need to add a few more "Android:Smsreg-BLC [PUP]".

[REDACTED]

Oh boy! This is on google play again!! Does avast detect this??

Sample 1:
URL: htxp://a.4399.cn/game-id-41755.html
Game name: 去吧皮卡丘(全民宝贝)  [Not official translation: go pikachu (everbody pokemon)]
Virus type: Trojan.Android.Fakengry.dkmmvp / Android:Smsreg-BLC [PUP]
VT: https://www.virustotal.com/en/file/fdabff2f954b4b269e381232c740ab64ac2697ebe40f18f671f3218588195d07/analysis/
Bad history of the game (older version): https://www.virustotal.com/en/file/793d604b737cebc3dc34c632590450ebd2f7ba198656f8446567dc19eed4330c/analysis/

How many times does it get onto the play market then removed a few week later
Unfortunately, I saw the same app in HK region play market using my phone 4 weeks ago from the new hot game section.

This site contained the last name used in HK region play market:
http://www.176app.com/html/game/android/475/1648.html
Game name: 精靈契約
The content from the walkthrough page is the same as "去吧皮卡丘(全民宝贝)" from 4399

There is also a link to the google play market page in the above site
See: https://play.google.com/store/apps/details?id=com.dkgame.gplay.petwarstw
name changed to 寵物戰記 and the company changed from dkgame to guanmodi not long ago!!
Some one has already ask how many time do they want to change the name of the game. You can see that they have put the game in a lot of time.

I find some copy of the same game from baidu which, for some unknown reason, is undetected by most antivirus. I don't know if trojan is added by 4399.cn, 9669.com, and other site when they put the game in, or there is actually trojan from the original game file.

anyway, https://play.google.com/store/apps/details?id=com.dkgame.gplay.petwarstw this game still look very suspicious.

[REDACTED]

***Intentionally seperate this post with the last post***
Just not long ago, find one more app that avast does not show detection on virustotal
URL: htxp://www.vipcn.com/shoujiyouxi/celueqipai/192056.html  (DO NOT GO TO THIS SITE! THERE IS MALICIOUS ADS REFER TO hxxp://pic.9ht.com/up/2015-2/201521414333.png)
Game name: 哈喽皮卡丘 (Not officially translated: hello pikachu)
virus type: unknown
VT: https://www.virustotal.com/en/file/aa0852eb6a6a461978c42a6159aa1730ebeec114c9c4dfb3e5c4533f550e039d/analysis/1425120282/
Popup by avast: android:lgexin-AJ [PUP] on computer

***developer please look at the following, possible bug report***
Here shown a glitch in avast mobile security. I find this by scanning known android malware in www.virscan.org
I suspected that the above app is only detected on computer only, not on phone.
When scan apk file in Virustotal, they show result that is from avast mobile security. However in www.virscan.org, they use the computer one regardless the type of the file (They lies that most of the sample is clean when there is a lot of antivirus in VT have a detection).
VT showed avast detected one of my sample (a card game file) as android:lgexin-AJ [PUP] but not this one eventhough avast popup up suggesting that the file may not be detected on phone.

[REDACTED]

Passed to viruslab, thanks.

[Sirmer]

Hello,

thanks for shared information. I create a detection for one sample which will be released after our tests but can I ask you for some samples? Because unfortunately we are missing these samples in our DB and I am not able to download these samples from original sites.
aa0852eb6a6a461978c42a6159aa1730ebeec114c9c4dfb3e5c4533f550e039d
6169c36f68f96169cd3bcab977883523b253cae00e60e01e55913a12930f9c4e

Best regards,

Jan

[REDACTED]

Hi Sirmer,

Good to known that it is detected.
These file may be too large to send via email as this is online game files. Fortunately, there are direct download links for these (2 for each, change "htxp" to "http"):
aa0852eb6a6a461978c42a6159aa1730ebeec114c9c4dfb3e5c4533f550e039d
htxp://d1.vipcn.org/v7/jhd/haloupikaqiu.apk
htxp://d2.vipcn.org/v7/jhd/haloupikaqiu.apk

6169c36f68f96169cd3bcab977883523b253cae00e60e01e55913a12930f9c4e
htxp://2.9669.com:801/down/chaojijingling3d.9669.com.9y.apk
htxp://3.9669.com:801/down/chaojijingling3d.9669.com.9y.apk

[Sirmer]

Hello,

thanks for samples, we will check the files.

haloupikaqiu.apk is detected as a Android:Igexin-AJ [PUP] even in the mobile version.

[REDACTED]

http://thehackernews.com/2015/03/Xiaomi-Mi-4-malware.html?m=1

[REDACTED]

Well, it has been more than 1 month and I have found more of these "smsreg" app.
These are from htxp://a.4399.cn (I am correct reporting this android app market to avast, there will only be more android mlaware on this site!!)
avast does not detect

1.
Download URL: htxp://sj.img4399.com/game_list/371/com.af.ec.m4399/ec.m4399.v70172.apk
game name: 宝贝联盟
VirusTotal result: https://www.virustotal.com/en/file/0d2723230b258709e7dfa38dc96052726e52c263f7236afea3983e4698301923/analysis/1430015763/
All are smsreg detection

2.
Download URL: htxp://sj.img4399.com/game_list/8/com.funnyhux.myguardian.m4399/myguardian.m4399.v70014.apk
game name: GBA口袋妖怪
VirusTotal result: https://www.virustotal.com/en/file/a902b186ff28495901af39130d2efeefc063f234c3aee71a5262e381521bcd25/analysis/1430018873/
All are smsreg detection here too
By the way, when I see the second one, I really laughed at the "GBA" part in the name. They even reference Nintendo's game console directly as a name of a malicious app. I wonder why Nintendo does not take action on these games yet.