Android Users Infected by Ads in Large-Scale Minecraft Clones

Google Play security researchers have discovered a record-breaking set of 38 Minecraft fighters infected with advertising software HiddenAds. The malware operates covertly, uploading advertising in the background and generating income for its operators.

Minecraft, a popular sandbox game with 140 million active monthly players, has attracted many publishers seeking to capitalize on its success by copying or recreating it. However, some have gone a step further, introducing malicious software into their “self-fed crafts”.

Games like Minecraft, but containing advertising software, have already infected around 35 million Android users worldwide. Most of these downloads occurred in the USA, Canada, South Korea, and Brazil.

The majority of victims were unaware of the malware’s activities until the extent of the problem was disclosed. Because the games they downloaded appeared to be genuine, they had no reason to suspect anything was amiss. Moreover, they may have attributed any minor issues with overheating or network activity to the normal functioning of the game rather than the malware running in the background.

The Advertising Set, discovered by McAfee Mobile research group, is part of an application protection alliance created to guard Google Play from all types of threats. Specialists removed all clones of the popular game containing malicious advertising software from Google Play after its discovery.

The following are among the most widely downloaded applications containing HiddenAds: Block Box Master Diamond (10 million downloads), Craft Sword mini Fun (5 million downloads), Block Skyland Sword (5 million downloads), Craft monster Crazy Sword (5 million downloads), Block Pro Forrest Diamond (1 million downloads), Block Game Skyland Forrest (1 million downloads), Block Rainbow Sword Dragon (1 million downloads), Craft Rainbow Mini Builder (1 million downloads), and Block Forrest Tree Crazy (1 million downloads).

HiddenAds loads advertising in the background as soon as the user launches the game, but nothing is displayed on the game screen. Outwardly, the program remains invisible. However, network traffic analysis after installation reveals an abnormally frequent exchange of dubious packages generated by Google, Applovin, Unity, Supersonic, and others.

Experts at McAfee suggest a possible link, and even the potential for them to have been developed by the same author or group of authors, due to the combination of similar advertising software with identical games.

/Reports, release notes, official announcements.