Security researcher Randy Westergren has reverse engineered super popular app Trivia Crack, recompiled it to help cheaters and along the way showed how to turn it into nastyware.
The app which pits players in competitive trivia has even gotten the New York Mets addicted, according to the The Wall Street Journal.
Another victim was Westergren's wife, prompting the hacker to examine the app's insides.
"I began by monitoring the web API requests made over the network while using the Android app," Westergren says.
"It seemed that the app was receiving the category, question, and answer from the Trivia Crack servers before the user even began spinning the 'category' wheel.
"... the category, question, answer options, and correct answer keys are all included in the response. This means it would be straightforward to identify the answer when asked within the app to cheat the game."
His 44Mb recompiled .apk app (requires installation of unknown sources to be checked) provided numbers next to Trivia Crack questions that relate to the correct answer.
These answers are pulled from the server responses described in the code as 'ANSWERS_CHEAT' which Westergren plucked using Grep.
While his work serves to tip the social gameplay balance to cheaters, Westergren says it also shows that "client application privacy cannot be guaranteed and developers should be careful about what’s included in their compiled releases".
The researcher's lighter work comes fresh off disclosing dangerous vulnerabilities in Verizon's FiOS application that affected some five million users.
While Westergren is a known whitehat researcher, users should be cautious when installing Android applications from unknown sources as devices could be easily infected. ®