Trojan Minecraft App Version Uses Smalihook to Defeat Certificate Signing

F-Secure told PC Magazine's SecurityWatch about a trojanized version of the Android Minecraft PE app being sold at half the official price through third party Russian app stores. The app runs just like Minecraft – but covertly introduces an SMS facility that can sign users up to expensive premium rate services. "The real game is included but it has one added permission: android.permission.SEND_SMS and the payment system has been 'enhanced,'" said F-Secure.

The result is that users who download this version get an inexpensive copy of the game, but a very expensive surprise when they get the next bill from their mobile service provider.

This type of compromise should not be possible since the Minecraft developers, Mojang, have included code to prevent it. "The original Minecraft includes a check inside the dex code that verifies the signature that has been used to sign the APK. If it's not [Mojang's], the code refuses to run," said F-Secure. But, explains SecurityWatch, "The phony Minecraft PE includes a special tool to specifically trick this failsafe, thus allowing it to work."

Now F-Secure has provided more details on that 'special tool.' In a new blog posting yesterday it explains that the fake Minecraft "was using a hacking tool called Smalihook, so we took a look at it." Smalihook hooks and replaces Java functions. In this instance it allows the trojanized version to get round Mojang's defenses – an authentication routine built into the code that will prevent it running if a certificate verification doesn't find the correct certificate. 

Smalihook returns the value "com.google.android.feedback", even though the app wasn't downloaded from the Google Play Store. As a result, Minecraft is tricked into believing the certificate checks out, and runs normally – including the added SMS capability.

"Smalihook," notes F-Secure, "seems to be part of the AntiLVL (Android License Verification Library Subversion) cracking tool. The purpose of these tools is to break license protection systems and they are aimed at developers who want to test their own protections against common types of attacks." 

The tool itself is publicly available over the internet from the androidcracking blog (interestingly one of Google's own Blogger sites). The site describes itself as "android cracking – information and techniques on android app cracking. for educational purposes only." 

Three years ago, lohan+ described Smalihook: "it's purpose is to provide 'hook' (actually replacement) methods for things like getting device id or signature. it's not really anything special, unless you actually modify the places in the app that make use of certain function calls..." That is what the trojan version developers have done, using Smalihook to fool the android device into accepting the app as genuine.

What’s hot on Infosecurity Magazine?