A set of 38 Minecraft copy games on Google Play infected devices with “HiddenAds” Android adware to stealthily load advertisements in the background to generate revenue for its operators.

Minecraft is a popular sandbox game with 140 million monthly active players, which many game publishers have tried to recreate.

Adware-hiding Minecraft-like games have been downloaded by around 35 million Android users worldwide, mostly in the United States, Canada, South Korea, and Brazil.

Map of HiddenAds victims
Map of HiddenAds victims (McAfee)

These users did not notice the malicious adware activity running in the background because they could play the games as promised. Additionally, any possible overheating, increased network data, or battery consumption caused by loading lots of advertisements may be perceived as caused by the game.

The adware bundle was discovered by The McAfee Mobile Research Teammember of the App Defense Alliance created to protect Google Play from all types of threats.

After the report and all the apps were reported and then removed from the store, the most downloaded apps of this malicious bundle are listed below:

  • Master Diamond Block Box – 10 million downloads
  • Craft Sword Mini Fun – 5 million downloads
  • Skyland Sword Block Box – 5 million downloads
  • Craft Crazy Monster Sword – 5 million downloads
  • Block Pro Forrest Diamond – 1 million downloads
  • Skyland Forrest Block Set – 1 million downloads
  • Block Rainbow Sword Dragon – 1 million downloads
  • Make a Mini Rainbow Builder – 1 million downloads
  • Block Forrest Tree Crazy – 1 million downloads
The most popular advertising game
The most popular advertising game (McAfee)

Ads are loaded in the background once the user launches the game, but nothing is displayed on the game screen.

Network traffic analysis, however, shows the exchange of several dubious packets generated by ad libraries from Google, AppLovin, Unity, and Supersonic, among others.

Suspicious network packets exchanged in the background
Suspicious network packets exchanged in the background (McAfee)

McAfee reports that the initial network packets on several of the apps share similar structures, using “3.txt” as the path in the form “https://(random).netlify.app/3.txt”, although the domains in each application are different.

Initial packs of three of the apps in the set
Initial packs of three of the apps in the set (McAfee)

This, in combination with the games’ similar names, suggests a possible connection between them, making it likely that the same author created the apps. However, McAfee does not explicitly mention any definitive link.

While advertising apps are not considered particularly dangerous for users, they can reduce the performance of a mobile device, raise privacy issues and even potentially create security holes that could expose users to more serious infections.

Android users should check The McAfee report for a full list of affected apps and remove them manually if they haven’t already been removed.


Source link