Mobile game with 10m+ downloads spills source code, endangers user data

The source code of Escalators, a mobile game available on Google Play Store and Apple’s App Store, was allegedly posted on several popular hacker forums.

The threat actor posted a dataset of nearly 600 MB of likely stolen information. Source code leaks pose a significant security threat to developers as their intellectual property can be exposed.

Source code reveals can also allow attackers to peer into security threats of apps and develop tailor-made exploits for later use.

Escalators breach
Leak announcement.

According to the Protergo research team, the leaked information includes Firebase URL and its key. Firebase is a mobile application development platform primarily used for data storage.

With Firebase URL and key at hand, attackers could access private user data kept on the Firebase database, potentially resulting in data theft or manipulation.

The leak includes Google and Apple in-app payment Application Programming Interface (API) keys. While the API keys are obfuscated, the team found instructions to deobfuscate the data.

In-app payment keys allow the processing of in-app purchases and, coupled with access to the game‘s source code, the information could enable attackers to make in-game purchases without developers‘ permission. That could lead to financial losses for the company and fraud.

In-app payment API keys could also grant attackers the means to read order IDs, anonymized user IDs, and purchase tokens. The latter is used to prove users are entitled to products they buy within the app.

The files in the exposed dataset were extracted in early November 2022.

We have reached out to Escalators’ publisher Supersonic Studios, and the game’s developers but did not receive an immediate reply.

Escalators are a relatively popular game with over 10 million downloads on the Play Store and tens of thousands of ratings on the App Store. The game’s publisher, Supersonic Studios LTD, is a mobile game publisher and studio headquartered in Tel Aviv.

Leave a Comment

Your email address will not be published. Required fields are marked *