Fake Cyberpunk 2077 Android apps are on the move

By

The action role-playing video game Cyberpunk 2077 has been one of the most awaited game in the recent times and after multiple delays the game finally released in December 2020. Even though the game had bugs and issues during the initial release, it garnered massive popularity and following during the initial release window. This attracted the attention of gamers and non-gamers alike, unsurprisingly malware writers and scamsters also started taking advantage of this popularity.

Fake download sources

Even though this game is not natively available on mobile devices like Android and IPhone, there are multiple sources that advertise Cyberpunk’s availability on these devices:

  • A number of websites host downloadable files with the name Cyberpunk, but they request for “verification” before the download can start. This verification usually lead to online “survey scam” websites which are after the users personal information:

 

  • There are a number of youtube videos that claim to show how to download and play Cyberpunk on mobile devices. Most of these videos direct users to websites that further lead to verification scams as highlighted above, some of the websites lead to android apps :

Different types of apps

We observed a number of different types of fake Cyberpunk named apps for Android, few of them are listed below:

 

Verification apps

These apps contain Cyberpunk game related assets files like icons and menu videos. These menu and intro videos get played once the app runs making them look authentic to the user. But once the video is displayed the user is forwarded to verification/online survey links.

  • MD5: 0766e628c6e6cf2048a6f6d007db4343
  • Package name: com.codwarzone.neta
  • Application name: Cyberpunk 2077

 

While not inherently malicious, these apps direct the users to sites that serve online survey scams. These scams try to extract sensitive user information and further misuse this information by selling it to data brokers, using it for phishing/spam/identity theft.

 

Ransomware

This app is a ransomware that uses the popularity of Cyberpunk to infect victims and demand ransom in the form of Bitcoin.

  • MD5: cbd92757051490316de527a02ac17947
  • Package name: com.codwarzone.neta
  • Application name: Cyberpunk 2077 Mobile (Beta)

The ransom message is hardcoded in the code:

 

This malware appends the extension “.coderCrypt” at the end of files

 

The ransomware demands ransom to be sent to the Bitcoin wallet address 336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K. Below is the recent activity on this address:

 

Malware creators are yet again using the popularity of a game to spread their malicious creations. Right now Cyberpunk 2077 is not available natively for mobile devices, it can however be played on mobile by game streaming services such as Stadia. So any video or post that claims to show how to install this game on a mobile device is likely a fake.

 

SonicWall Capture Labs provide protection against this threat with the following signatures:

  • AndroidOS.CodeWare.RSM (Trojan)
  • AndroidOS.Injector.VF (Trojan)

 

Indicators of Compromise (IOC’s):

  • cbd92757051490316de527a02ac17947
  • 0766e628c6e6cf2048a6f6d007db4343
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.