Beware! Flappy Bird fake apps are stealing money for cybercriminals

Late last week, I heard some people raving about a smartphone game called Flappy Bird.

I felt like a social outcast not knowing what it was, and downloaded it to give it a try.

Sorry to be a party-pooper but I couldn’t see what the fuss was all about.

After about three minutes I erased the game from my phone, irritated by the intrusive advertising banners it popped up over the screen (the Vietnamese maker of the game is reported to have made $50,000 per day from the ads) and the dull unenticing gameplay.

But, apparently, I’m in the minority.

Many many people are utterly enhanted by Flappy Bird, became addicted to beating their high scores, and went into shock when headlines revealed that the game’s creator, Dong Nguyen, had decided to withdraw it from app stores.

Some chancers even offered iPhones for sale on eBay, complete with Flappy Bird already installed for those folks who might be tempted to pay over the odds for the chance to play the hit game.

And, like other hot apps before it, cybercriminals saw an opportunity to make money for themselves.

As Trend Micro reports, fake Android versions of Flappy Bird have been spread online, designed to steal money for online criminals.

The apps, which have been particularly rampant in unofficial Android app marketplaces in Russia and Vietnam, attempt to send SMS messages to premium rate services and then hide the responses from the phone’s owners.

In this way, the fraudsters earn money without the game player realising.

This scam only works for criminals because users don’t properly check an Android app’s permissions before allowing it to install.

If possible always get your Android apps from the official Google Play store. Although there have been cases of malware and shady apps getting into the official store, generally it’s a lot safer to download Android apps from there than elsewhere.

Also, see how many reviews an app has received – and check them out before downloading it to your Android phone. If it’s a popular app like Candy Crush Saga or Instagram or Angry Birds you would expect there to be plenty of reviews. If it doesn’t have any reviews, but is a well-known app, there’s a chance that you’re looking at a fake version which might have sinister intentions.

And, regardless of where you source your Android apps from, always check the permissions that your app requests. You should ask yourself, would a simple game *really* require need to send (potentially expensive) SMS messages?

A little common sense can go a long way. Unlike that bloody flapping bird…

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.