These Minecraft-like games that infected devices with the Android adware ‘HiddenAds’ have been found to be installed by at least 35 million users around the world. These HiddenAds apps generated huge amounts of stealthy advertising packets in the background and exploited players while generating advertising revenue for their operators. For those unaware, Minecraft is a popular video game developed by Mojang Studios and has over 140 million monthly active players. Players create and break apart various kinds of blocks and entities in a 3-dimensional environment. Its diverse gameplay allows players to select the way they play, by either enjoying Survivor Mode to survive in the wild or Creative Mode to focus on being creative. Since McAfee is a member of the App Defense Alliance, which was created to protect users by preventing threats from reaching their devices and improving app quality across the ecosystem, reported the discovered apps to Google. The search giant took the necessary immediate measures and removed all the reported apps from the Google Play Store. Android users are further protected by Google Play Protect, which notifies users of identified malicious apps on Android devices. McAfee Mobile Security detects this threat as Android/HiddenAds.BJL. Some of the most popular games with malware were officially uploaded to Google Play under various titles and package names. Several games have already been downloaded by users, including apps with 10M+ downloads being one of them, which are given below:
Block Box Master Diamond– 10 million downloads Craft Sword Mini Fun– 5 million downloads Block Box Skyland Sword– 5 million downloads Craft Monster Crazy Sword– 5 million downloads Block Pro Forrest Diamond– 1 million downloads Block Game Skyland Forrest– 1 million downloads Block Rainbow Sword Dragon– 1 million downloads Craft Rainbow Mini Builder– 1 million downloads Block Forrest Tree Crazy– 1 million downloads
Since users could play the games without any problems as promised, they did not notice the large amount of malicious adware activity conducted in the background on their devices. A study of network analysis, though, shows the exchange of several questionable packets generated by the ads libraries of Unity, Supersonic, Google, and AppLovin, among others. Unfortunately, nothing is displayed on the game screen making it difficult for the users to identify the malicious activity. “What’s even more interesting is the initial network packets of these games. The structure of the initial packet is very similar. All domains are different. But using 3.txt as the path is equivalent. That is, packets in the form of https://(random).netlify.app/3.txt commonly occur first,” McAfee wrote in a blog post. This threat has been detected in numerous countries around the world and has been most prominently detected in the United States, Canada, South Korea, and Brazil. As highlighted in the McAfee 2023 Consumer Mobile Threat Report, games are one of the most accessible content for young people using mobile devices. Malware authors are also aware of this and try to exploit this weakness to hide their malicious features inside the game. In order to protect from such threats, McAfee recommends users to thoroughly review user feedback before downloading applications from the Google Play Store. Also, users should install security software on their devices and ensure to keep them up to date.