What is Cold Jewel Lines? Fake WhatsApp update found on Google Play promotes malware-laden game
Researchers said the game contained malware capable of extracting a host of sensitive information from the device.
Security researchers have discovered a fake WhatsApp update on the Google Play Store that advertises a fully functional Candy Crush-like game that is riddled with malware. The dubious Android WhatsApp program called "Update WhatsApp Messenger" was first unearthed by Reddit users earlier in November and was later investigated by Zimperium's zLabs research team.
Disguised to look like an official WhatsApp app, the malicious programme actually bombards users with a slew of dodgy ads. The developer of the phoney WhatsApp program was named "WhatsApp Inc." with a non-breaking space at the end.
Researchers said this app was downloaded more than a million times from the Google Play Store.
Once installed, the app is actually tough to find on the device since it can't actually can't be seen on the launcher. To evade detection, the developer set an empty app_name value and designed the icon to be transparent. However, clicking on the "empty" icon at the end of the list of applications in the launcher will open up the programme.
After the app is launched, the user is hit with a variety of advertisements prompting them to install other malicious apps.
Zimperium researcher Matteo Favaro found one of the ads to be really suspicious. The ad promotes a Play Store app called Cold Jewel Lines, a fully functional game similar to the popular Candy Crush.
However, malware is executed immediately after a user starts the game that is capable of communicating with a C&C server, performing ad-auto clicking activities, exfiltrating sensitive information from the infected device, parsing and extracting information from received SMS texts, potentially executing other malicious payloads and exploits as well as executing shell commands to extract more data.
According to Favaro, the malware is capable of extracting sensitive information about the infected device including its version, manufacturer, root status, user agent, operator, IMEI (International Mobile Equipment Identity) number, IMSI (international mobile subscriber identity) number, Android UUIDs (Universally Unique Identifier), Wi-Fi network, fingerprint and more.
The Cold Jewel Lines app was reported to Google on 20 November and was removed the next day.