Dozens of Minecraft-like mobile games downloaded by tens of millions of users from Google Play actually contained covert adware, McAfee has revealed.
The security vendor discovered a total of 38 games with titles like Block Box Master Diamond, Craft Monster Crazy Sword and Craft Rainbow Mini Builder, which were installed by at least 35 million users worldwide.
Detected by McAfee as Android/HiddenAds.BJL, the adware in question loads ads in the background, hidden from the user, in order to generate revenue.
“One of the most accessible [types of] content for young people using mobile devices is games. Malware authors are also aware of this and try to hide their malicious features inside games,” explained McAfee security researcher, Dexter Shin.
“Not only is it difficult for general users to find these hidden features, but they can easily trust games from official stores such as Google Play.”
Read more on mobile threats: Researchers Find 35 Adware Apps on Google Play.
McAfee discovered covert ad packets generated by the ad libraries of Unity, Supersonic, Google and AppLovin when it analyzed the games.
“What’s even more interesting is the initial network packets of these games,” Shin argued. “The structure of the initial packet is very similar. All domains are different. But using 3.txt as the path is equivalent. That is, packets in the form of https://(random).netlify.app/3.txt commonly occur first.”
Although users worldwide were affected by this HiddenAds campaign, the largest number were apparently located in the US, Canada, South Korea and Brazil.
“We first recommend that users thoroughly review user reviews before downloading applications from the store. And users should install security software on their devices and always keep [it] up to date,” Shin concluded.
This is far from the first time the HiddenAds Trojan has appeared in mobile apps. In November last year, Malwarebytes discovered the malware hiding in four apps that had been downloaded from Google Play at least one million times.
In that campaign, the malicious apps in question opened phishing sites in Chrome on the victims’ devices.
HiddenAds was among the most prolific malware detected in Q4 2020, according to McAfee.