Flight Sim Labs: Mod developer caught secretly embedding password-stealing malware to tackle pirates
FSLabs confirmed the existence of the hidden file but argued it's only used to target "specific pirate copies of copyrighted software obtained illegally".
As game makers and developers continue to tackle piracy and the rampant distribution of counterfeit versions of their software, one company has opted for a more controversial tool to address the issue. Mod developer Flight Sim Labs (FSLabs) has been accused of embedding malware in its flight simulation add-ons to steal pirates' Chrome passwords.
FSLabs is known for creating add-ons for the massively popular Microsoft Flight Simulator and creating highly-realistic flight simulation products for over $100 a piece.
The issue first came to light on Sunday (18 February) after Reddit user crankyrecursion reported that FSLabs' Airbus A320-X add-on seemed to be setting off his antivirus scanner. The user later discovered that the recent version of the mod included a file named "text.exe" that matched an app named "Chrome Password Dump".
The tool by SecurityXploded is actually a command-line application that automatically detects and extracts stored usernames passwords from the Chrome web browser.
Cybersecurity firm Fidus Information Security (FIS) said the "test.exe" file also triggered a "malicious" warning on 30 out of 67 antivirus tools, according to test service VirusTotal. Researchers also uncovered a comment made by a member of the FSLabs team in October 2017 regarding the "test.exe" file triggering antivirus software warnings.
"This is why we recommend you disable your AV when installing," the FSLabs team member wrote. "Many AV engines see our installers as a virus, which they are not (also known as a false positive)."
The finding immediately triggered fierce uproar from gamers and customers saying "there is absolutely no justification" for including a password stealer in a flight simulation add-on.
Although Fidus noted that the password dumping tool is also called when a fraudulent serial is used, researchers pointed out several "serious issues" raised with the inclusion of such a code in an installer.
"The inclusion of a malware, in the form of a password dumper, in a trusted installer for the sake of combating piracy is absolute insanity," FIS founder Andrew Mabbitt told Motherboard. "When run, the program extracts all saved usernames and passwords from the Chrome browser and appears to send them to FSLabs. This is by far one of the most extreme, and bizarre, methods of Digital Rights Management (DRM) we've ever seen."
In response to the backlash, FSLabs confirmed the existence of the hidden file but argued that it is not used to "reveal any sensitive information of any customer who has legitimately purchased our products".
FSLabs CEO Kalamaras argued that the test.exe file is part of the DRM and is "only targeted against specific pirate copies of copyrighted software obtained illegally".
"There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites," Kalamaras wrote in a post on the company's support forums. "If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us.
"This method has already successfully provided information that we're going to use in our ongoing legal battles against such criminals."
The studio has since released a clean, updated version of the A320 mod without the password-stealing malware in question.
"While the majority of our customers understand that the fight against piracy is a difficult and ongoing battle that sometimes requires drastic measures, we realise that a few of you were uncomfortable with this particular method which might be considered to be a bit heavy handed on our part," Kalamaras said. "It is for this reason we have uploaded an updated installer that does not include the DRM check file in question.
"I want to reiterate and reaffirm that we as a company and as flight simmers would never do anything to knowingly violate the trust that you have placed in us by not only buying our products but supporting them and FlightSimLabs."
Still, the embedding of password-stealing code to take on pirates has raised serious concerns from security experts regarding the collection and storing of user data without their consent or a warrant.
"Whilst we fully understand the importance of DRM and combating piracy, it poses the question on how ethical some companies are being in doing so along with the legal and infosec implications of it," Fidus said.