The Tic Tac Toe Game Spies On You

One simple Android game can get as much information about the smartphone’s owner as a real spy can.

UPDATE: It has been brought to our attention that the following application was actually a proof-of-concept developed by Lacoon Security. This article has been amended in certain places to reflect that reality and that the app is not publicly available. However, the content of and advice contained within this article remain relevant, as an attacker could easily build a similar, publicly available application, which is exactly why Lacoon’s research is so useful.*

What does a spy need in order to gather information about a victim? He has to establish round-the-clock surveillance that involves several people, then secretly install hidden cameras and microphones, and maybe even steal the victim’s smartphone (and its password, of course). However, these days you can get all of the necessary information in a much simpler way: simply release a free mobile game and wait for the moment when a victim installs it. Unfortunately, this is no oversimplification. Just one simple smartphone app can provide a criminal with a lot of information about a person. Want proof? Experts from Kaspersky Lab have it.

Tic Tac Toe is a simple and easy-to-find game for Android devices, but just as you shouldn’t judge a book by its cover, it’s also a bad idea to think that any app is just a game and nothing more. In reality, this proof-of-concept is a spying tool that is powered by what Kaspersky Researchers are calling the Gomal Trojan, which can steal private data, record a smartphone owner’s voice and even read SMS messages and emails that are stored on a device. Even more importantly, these actions are possible – both within this experimental app and any other real world one – because a careless user is granting permission for each right that this malware asks for.

krestik_1 (1)

This Tic Tac Toe game is asking for many more things than a normal game would have access to. The list of permissions requested by the game is astonishing. For example, it needs to have access to the Internet, the user’s contacts and SMS archive, and also wants to be able to process calls and record sound. The result is predictable: after a user installs and starts the game, the Trojan travels almost everywhere in the smartphone, including memory due to an exploit used to obtain root privileges.

This allows it to steal not only SMS messages and some personal data, but also read emails from an app called Good for Enterprise, if it’s installed on the smartphone. The Good for Enterprise application is positioned as a secure email client for corporate use, so the theft of data from it can mean serious problems for the company where the owner of the device is employed. Therefore, the person could not only lose his or her work, but could also leave the company in huge trouble.

The game starts spying only after a careless user gives it permission to access almost everything on the device.

Actually Tic Tac Toe is not the first of its kind: attempts by cybercriminals to disguise malware as useful applications are common, almost to the point of being routine. However, this game seems to be a new kind of mobile malware, which can steal messages even from secured apps. This game was made to “work” only with the Good for Enterprise app, but principles upon which this technique is based could be used to steal data from almost any messaging app such as WhatsApp, Viber, you name it.

However, you can easily reduce the risk of infection by mobile malware like this one if you follow our recommendations:

  • Do not activate the “Install applications from third-party sources” option.
  • Only install applications from official outlets (Google Play, Amazon Store, etc.).
  • When installing new apps, carefully study the rights that they request.
  • If the requested rights do not correspond with the app’s intended functions, then do not install the app.
  • Use protection software.

*You’ll notice that we have continued to refer to this application as malicious throughout this article. This is not because we are taking a hardline here, but rather that as a security company, Kaspersky Lab detects all forms of malware, regardless of their origin or purpose. Kaspersky Lab received samples of the Tic Tac Toe game through a malware exchange with other antivirus companies, and it was not marked as a proof-of-concept at this time. We saw several potentially malicious functions in this app, and a thorough analysis of TicTacToe revealed that the game code accounted for less than 30% of the executable file’s size. The rest is of the functionality is intended for monitoring users and obtaining personal data. It is for this reason that we began the investigation and reported the incident to the public.