Malware in Minecraft mods: story continues
#1
Bug 
Quote:
[Image: minecraft-mod-adware-google-play-revisited-featured.jpg]

We found more Minecraft modpacks and a file recovery utility available in Google Play concealing malicious adware.

Although we recently reported finding 20 apps in Google Play posing as Minecraft modpacks — the most popular with more than a million downloads — Minecraft-themed malware continues to pop up in Google Play. Instead of doing anything they claimed, the apps turned users’ smartphones and tablets into extremely intrusive advertising tools.

To be clear, the apps were totally useless from a user perspective. Instead, after the first run they hid their icons and repeatedly opened the browser to flash ads. They could also play videos from YouTube, open Google Play app pages, and more. The version we analyzed, for example, opened the browser every two minutes, rendering the device essentially unusable. The thing was especially troubling, because it was extremely hard for a user to figure out what was going on, which app was responsible for the troubles and how to stop it.

We notified Google about our find, and the malicious apps were quickly removed from the store.

New versions of malicious apps

Deletion from Google’s app store does not necessarily defeat malware; historically, its makers simply upload new, slightly modified, versions using different names and from different developer accounts.

One example of the cycle comes from the VK Music Trojan, which stole VK user accounts and, despite being reported, dug in to Google Play for several years.

Mindful of that, we revisited the case of the harmful Minecraft modpacks in Google Play to find out whether reporting had helped. To that end, we launched a search for similar apps — and found some.

New, improved versions

First, we found several apps using the abovementioned approach, but with some improvements. In a basic scenario the apps accept push message commands from the attackers to show full-screen ads (no user interaction required). The apps are designed to download an extra module as well. With that module downloaded, more functions become available, enabling the apps to hide their icons, run the browser, play YouTube videos, open Google Play app pages, and so forth.

This time, the list of compromised apps included, in addition to Minecraft mods, a file recovery utility called File Recovery – Recover Deleted Files. Version 1.1.0, available from Google Play until February 2021 had a malicious payload. That version has been removed, and version 1.1.1, which is now on Google Play, is safe.

Simplified version with paid subscription on Google Play

Second, we found a couple of Minecraft modpacks with basic functionality, a configuration in which the apps occasionally show full screen ads, even with the app inactive, but are unable to hide their icons or run the browser, YouTube, or Google Play. For extra monetization, the in-app purchases function is used.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
UltraSearch 4.6.0.1091
UltraSearch 4.6.0....harlan4096 — 10:38
Brave 1.73.91
Release Channel 1....harlan4096 — 10:11
AdGuard Browser Extension 5.0.169 (MV3)
AdGuard Browser Ex...harlan4096 — 10:10
uBOLite_2024.11.20.858
uBOLite_2024.11.20...harlan4096 — 10:09
CrystalDiskInfo 9.5.0 [2024/11/20]
9.5.0 ​ Added D...harlan4096 — 10:08

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (56)Stefanos

[-]
Online Staff
There are no staff members currently online.

>