McAfee has revealed that dozens of Minecraft-like mobile games downloaded from Google Play by tens of millions of users actually contained covert adware.
Security vendors found a total of 38 games, including Block Box Master Diamond, Craft Monster Crazy Sword, and Craft Rainbow Mini Builder. These games have been installed by at least 35 million users worldwide.
The adware in question is detected by McAfee as Android/HiddenAds.BJL and loads ads hidden from the user in the background to generate revenue.
“One of the most accessible [types of] Content for young people using mobile devices is games. Malware authors are aware of this and try to hide malicious functionality within their games,” explains McAfee security researcher Dexter Shin.
“Not only are these hidden features difficult for ordinary users to find, but they can easily trust games from official stores such as Google Play.”
Mobile Threat Details: Researchers Find 35 Adware Apps on Google Play.
McAfee discovered covert ad packets generated by ad libraries from Unity, Supersonic, Google, and AppLovin when analyzing the game.
“What’s even more interesting are the initial network packets for these games,” Shin claims. “The structure of the first packet is very similar. Every domain is different. However, as a path he uses 3.txt is equivalent. So in general, https://(random) Packets of the form .netlify.app/3.txt occur first.
Users from all over the world were affected by this HiddenAds campaign, but the largest numbers appeared to be in the United States, Canada, South Korea, and Brazil.
“We recommend thoroughly checking user reviews first before downloading any application from the store. Users should also install and always keep security software on their devices. [it] It’s up to date,” Singh concluded.
This is not the first time the HiddenAds Trojan has appeared in mobile apps. Last November, Malwarebytes found malware lurking in four of his apps that had been downloaded at least one million times from Google Play.
In that campaign, the malicious app in question opened a phishing site on Chrome on the victim’s device.
According to McAfee, HiddenAds was one of the most common malware detected in Q4 2020.
