Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.6.1361

A Study on Mobile Game Security Threats by Analyzing Malicious Behavior of Auto Program of Clash of Clans  

Heo, Geon Il (Graduate School of Information Security, Korea University)
Heo, Cheong Il (Korean Association for Industrial Technology Security)
Kim, Huy Kang (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.6, 2015 , pp. 1361-1376 More about this Journal
Abstract
Recently, the size of the mobile game market and the number of mobile game users are growing. Also, as the mobile game's life cycle is increasing at the same time, auto program issue reappears which has been appeared in PC online games. Gamers usually tend to ignore warning messages from antivirus programs and even worse they delete antivirus program to execute auto programs. Therefore, mobile game users are easily compromised if the auto program performs malicious behaviors not only for the original features. In this paper, we analyze whether seven auto programs of "clash of clans" which has a lot more users for a long time perform malicious behaviors or not. We forecast the possible security threats in near future and proposed countermeasures based on this analysis. By analyzing auto programs of highly popular mobile game of today, we can acquire the knowledge on auto program's recent trend such as their development platform, operating mode, etc. This analysis will help security analysts predict auto program's evolving trends and block potential threats in advance.
Keywords
auto program; macro; mobile game; malicious behavior;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 Korea Creative Content Agency, 2014 White paper on Korean games, Korea Creative Content Agency, 35, Gyoyukgil, Naju-si, Jeollanam-do, Korea, 2014.
2 Google Play, https://play.google.com/store/apps/category/GAME/collection/topselling_free
3 Woo, Jiyoung and Huy Kang Kim. "Survey and research direction on online game security," Proceeding WASA '12 Proceedings of the Workshop at SIGGRAPH Asia, pp. 19-25, Nov, 2012.
4 Woo, Jiyoung, Hwa Jae Choi, and Huy Kang Kim. "An automatic and proactive identity theft detection model in MMORPGs." Applied Mathematics & Information Sciences, Vol. 6, No. 1S, pp. 291S-302S, Jan, 2012.
5 Hana Kim, Byung Il Kwak, and Huy Kang Kim, "A study on the identity theft detection model in MMORPGs." Journal of The Korea Institute of Information Security & Cryptology, vol.25, no.3, pp. 627-637, Jun. 2015.   DOI
6 Huy Kang Kim and Young Jun Kum, "Mobile game security issue in android." Review of The Korea Institute of Information Security & Cryptology, vol.23, no.2, pp. 35-42, Apr. 2013.
7 Il-bum Ahn, Shock! mobile games mouse auto prevalent 'fake ranked advisory', http://news.heraldcorp.com/view.php?ud=20130610000563&md=20130613004402_BL, Herald, Jun. 2013.
8 Seung-Jin Choi, Clash of clans, the server pre-emergence 'shock', http://news.tf.co.kr/read/economy/1477785.htm, THE FACT, Jan. 2015
9 Kang, A. R., Woo, J. Y., and Kim, H. K., "Data and text mining of communication patterns for game bot detection," Proceedings of the 3th international conference on Internet, pp. 495-500, Dec. 2011.
10 Kang, A. R., Kim, H. K., and Woo, J.. "Chatting pattern based game BOT detection: do they talk like us?," KSII Transactions on Internet and Information Systems (TIIS), Vol.6, No.11, pp. 2866-2879, Nov, 2012.   DOI
11 Lee, Gi Seong and Huy Kang Kim. "Android game repackaging detection technique using shortened instruction sequence," Journal of Korea Game Society, Vol. 13, No. 6, pp. 85-94, Dec, 2012.   DOI
12 AMIDuOS, http://www.amiduos.com/
13 Andy, http://www.andyroid.net/
14 BlueStacks, http://www.bluestacks.com/local/kor/home-kor.html
15 Genymotion, https://www.genymotion.com/#!/
16 Windroy, http://www.windroye.com/
17 SB Game Hacker, http://sbgamehacker.com/
18 GameCIH, http://www.cih.com.tw/gamecih.html
19 Game Guardian, https://gameguardian.net/forum/
20 GameKiller, http://game-killer.com/
21 AutoHotkey, http://www.autohotkey.com/
22 AutoIt, https://www.autoitscript.com/site/autoit/
23 FRep, http://strai.x0.com/frep/
24 G Macro, http://rhyshan.com/147
25 Hiro Macro, http://prohiro.com/
26 Appzzang.com, http://appzzang.ca/bbs/board.php?bo_table=Game
27 Lazypressing, https://www.lazypressing.com/
28 Hacking Response Team, Handbook of incident analysis procedure, Korea Internet & Security Agency, 135, Jungdae-ro, Songpa-gu, Seoul, Korea, 2010.
29 Jose Morales, A new approach to prioritizing malware analysis. http://insights.sei.cmu.edu/sei_blog/2014/04/a-new-approach-to-prioritizing-malware-analysis.html, Apr. 2014.
30 Fiesta EK(CVE-2013-2551) Analysis Report, http://anubis.iseclab.org/?action=result&task_id=125ae9e1cdf70696411250b649e954117&format=pdf
31 Fiesta EK(CVE-2013-2551) Analysis Report, https://www.virustotal.com/ko/file/f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec/analysis/
32 Incident Response Corps, Monthly report on detecting sites concealing malware, Korea Internet & Security Agency, 135, Jungdae-ro, Songpa-gu, Seoul, Korea, 2015.
33 Sean Taylor, Binary obfuscation from the top down, DEF CON 17, https://www.defcon.org/html/defcon-17/dc-17-speakers.html#Taylor, 2009
34 Kim Moo Yeol, Ryu So Joon, Financial information leakage by the latest phishing and pharming technique, Korea Internet & Security Agency, 135, Jungdae-ro, Songpa-gu, Seoul, Korea, 2014.
35 AhnLab Security Emergency Response Center, ASEC report vol. 56, AhnLab, 220, Pangyoyeok-ro, Bundang-gu, Seong nam-si, Gyeonggi-do, Korea, 2014.
36 Joshua Cannell, Obfuscation: malware's best friend, Malwarebytes, https://www.malwarebytes.org/, 2014
37 Shadowserver Foundation, Packer Statistics, https://www.shadowserver.org/wiki/pmwiki.php/Stats/PackerStatistics
38 VMware Workstation, http://www.vmware.com/kr/products/workstation
39 Process Monitor, https://technet.microsoft.com/ko-kr/sysinternals/bb896645
40 Process Explorer, https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
41 Regshot, http://sourceforge.net/projects/regshot/
42 Wireshark, https://www.wireshark.org/download.html
43 OllyDbg, http://www.ollydbg.de/
44 PE Explorer, http://www.heaventools.com/
45 PEBrowse Professinal, http://www.smidgeonsof t.prohosting.com/pebrowse-pro-file-viewer.html
46 Dependency Walker, http://www.dependencywalker.com/
47 .NET Reflector, http://www.red-gate.com/products/dotnet-development/reflector/
48 Exeinfo PE, http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/ExEinfo-PE.shtml
49 BinText, http://www.mcafee.com/kr/downloads/free-tools/bintext.aspx
50 Stud_PE, http://www.cgsoftlabs.ro/studpe.html
51 HxD, http://mh-nexus.de/en/hxd/
52 Virustotal, https://www.virustotal.com/
53 Malwares.com, https://www.malwares.com/
54 Google Safe Browsing, https://www.google.com/safebrowsing/diagnostic?site=Google.com
55 Korea Internet & Security Agency WHOIS, http://whois.kisa.or.kr/kor/
56 Exe2Aut, https://exe2aut.com/
57 NSIS, http://nsis.sourceforge.net/Download
58 UPX, http://upx.sourceforge.net/
59 Themida, http://www.oreans.com/themida.php
60 AutoIt functions, https://www.autoitscript.com/autoit3/docs/functions/
61 Quick Macro, http://www.quickmacrs.com/help/QM_Help/IDH_FUNCTION.html
62 AutoHotkey, https://www.autohotkey.com/docs/Functions.htm
63 Violet Blue, RSA: Brazil's 'Boleto Malware' stole nearly $4 billion in two years, http://www.zdnet.com/article/rsa-brazils-boleto-malware-stole-nearly-4-billion-in-two-years/, ZDNet, July. 2014.
64 Lee Kang Kook, Verification of constitutional violation of clause 2 paragraph 3 of article 46 of Act on Game Industry Promotion, Heonjae 2012.6.27. 2011 Heonma288, Jun. 2012.
65 Lee Bell, Hackers use Ebola outbreak to trick users into downloading malware, http://www.theinquirer.net/inquirer/news/2377496/hackers-use-ebola-outbreak-to-trick-users-into-downloading-malware, the INQUIRER, Oct. 2014.
66 Vinoo Thomas and Prashanth Ramagopal, and Rahul Mohandas, The rise of autor un-based malware, McAfee, http://www.mcafee.com/us/, 2009.
67 Prohibiting distribution of illegal game, Paragraph 8 of Article 32 of Act on Game Industry Promotion, Nov. 2014.
68 Yang Chang Soo, Withdraw of blocking game account, Supreme Court 2010.10. 28. Sentence 2010Da 9153 Judgement, Oct. 2010.
69 AutoIt and malware, https://www.autoitscript.com/wiki/AutoIt_and_Malware, Jun, 2014.
70 Kyle Wilhoit, AutoIt used to spread malw are and toolsets, http://blog.trendmicro.com/trendlabs-security-intelligence/autoit-used-to-spread-malware-and-toolsets/, May, 2013.