Popularity attracts the attention of cybercriminals easily, the latest instance being Minecraft-type games with HiddenAds malware, researchers at McAfee found.
Minecraft is an extremely popular sandbox game, where players create and break apart various kinds of blocks in 3-dimensional worlds. It can be played on a desktop or mobile and is developed by Mojang Studios.
The popularity of Minecraft has led to many attempts to recreate similar games. As a result, there are so many games with the same concept as Minecraft worldwide, including some Minecraft-type games with HiddenAds malware.
McAfee reported these apps to Google, which took prompt action, and the apps are no longer available on Google Play.
Minecraft-type games with HiddenAds malware
McAfee Mobile Research Team has recently discovered 38 Minecraft-type games with HiddenAds malware on the Google Play Store. Together at least 35 million users worldwide have installed these games.
Users can play these games without any problems in the block-based world, but advertisement packets of various domains continuously occur on the device.
The initial network packets of these Minecraft-type games with HiddenAds malware have a very similar structure, and all domains are different but using 3.txt as the path is equivalent.
Most users from the U.S., Canada, South Korea, and Brazil were impacted by these video games sending packets of advertisements in the backgroung. These Minecraft-type games with HiddenAds malware even had similar names besides having a similar structure to Minecraft.
Minecraft-type games with HiddenAds: Ad-bombardment
Upon finding these Minecraft-type games with HiddenAds malware on Google Play Store, the McAfee Mobile Research Team alerted Google about it. Google promptly terminated those apps from its platform.
The gaming videos are no longer available on Google Play Store. The threat detected as malicious apps on Android were uploaded on Google Play under different names.
While Google Play Protect is tasked with alerting users after noticing malicious applications, it is expected from users in maintaining caution before downloading versions of paid and/ or popular games.
Photo courtesy: McAfeeAmong the games found with hidden advertisement packets was Block Box Master Diamond which was downloaded over 10 million times, Craft Sword Mini Fun, Block Box Skyland Sword, Craft Monster Crazy Sword, and Block Pro Forrest Diamond.
Other games similar to Minecraft that threatened the security of user devices with advertising packets were Block Game Skyland Forrest, Block Rainbow Sword Dragon, and Craft Rainbow Mini Builder.
Most video games sending packets of advertisements had similar naming conventions of having Craft, Block, Builder, Rainbow, Forrest, Fun, and Diamond in it.
Users would often disregard the large volume of hidden advertisements while enjoying playing the video games sending packets.
The ads libraries of Unity, Supersonic, Google, and AppLovin were captured by researchers with four questionable packets as shown in the image above. This data was hidden from users and was not found reflecting on the screen at any point.
The initial network packets of the video games sending packets were very similar to each other. Although the domains were different, they all used 3.txt as the path. This led to the packets to render in the form of https://(xyz).netlify.app/3.txt
HiddenAds malware: The problem persists
Although Google has taken off these Minecraft-type games with HiddenAds malware from Google Play Store, the possibility of threat actors tapping popular online content continues, indicate McAfee’s earlier analysis.
McAfee’s Mobile Research Team in July 2022 identified this malware on the Google Play Store. Researchers noticed that the infected apps continuously show advertisements to victims and runs malicious services automatically upon installation without executing the app.
“Users may generally think installing the app without executing it is safe. But you may have to change your mind because of this malware. When you install this malware on your device, it is executed without interaction and executes a malicious service,” the report said.
“In addition, they try to hide themselves to prevent users from noticing and deleting apps. Change their icon to a Google Play icon that users are familiar with and change its name to ‘Google Play’ or ‘Setting’.”
To promote these apps to new users, the malware authors created advertising pages on Facebook. The link to Google Play was distributed through legitimate social media, making users download it without a doubt.
The malware uses the Contact Provider, which is the source of data seen in the device’s contacts application, and can also access its data in the user’s own application and transfer data between the device and online services. The Contact Provider automatically interrogates newly installed or replaced packages, making it easy for the malware to infect devices.
McAfee then confirmed that users have already installed these apps from 100K to 1M+ in several countries, including South Korea, Japan, and Brazil.
Although the company disclosed this threat to Google, and all reported applications were removed from the Play Store, it was just a matter of time before it popped up, this time in form of in Minecraft-type games with HiddenAds malware.