87 fake Minecraft mods exposed Android users to scammy websites, aggressive ads

So about those permissions…

Dodgy minecraft mod

Google has removed 87 fake Minecraft mods from its Play Store that exposed Android users to scammy websites and aggressive ads.

The fake applications, which were reported to Google between 16 March and 21 March, fall into two categories. First, 14 of them display out-of-app advertisements to users. They do so via the same ad-displaying downloader known as "Android/TrojanDownloader.Agent.JL."

1 2

Ad-displaying downloader disguised as Minecraft mods on Google Play. (Source: ESET)

Upon successful installation, each malicious app asks users for administrator privileges. They then prompt users to install an additional module known as "Block Launcher Pro." This process loads up Android/Hiddad.DA as its payload.

What happens next, you ask?

Nothing much! The app displays a Minecraft screen with no clickable elements. That's because all 14 of these apps' sole functionality is to interrupt users' activity and display mobile ads like this one.

Unwanted ad

Out-of-app advertisements showing up on victim’s device. (Source: ESET)

But ESET malware analyst Lukas Stefanko says the threat could get worse. As he explains in a blog post:

"Since the result of this evolution – a downloader – is able to download any sort of additional malware to the victim’s device, there is no reason to believe malware authors would stop at only displaying unwanted ads. Seeing they can lure thousands of users into installing their deceptive applications, more dangerous threats distributed under similar disguise might be the next logical step."

You can view a video of one of these fake Minecraft mods below.

The remaining 73 fake mods for Minecraft, a popular computer game which saw the login credentials of 1800+ of its users leaked online in early 2015, are all detected as Android/FakeApp.FG. Why? Because they are illegitimate apps!

None of the programs download any mods when users click "Download" button. Instead the button opens a mobile browser window and redirects them to all sorts of websites containing ads, porn, surveys, and fake antivirus warnings.

5 2 768x683

Fake download screen displayed after launch. (Source: ESET)

So what's our moral of the story here?

First, it's a good idea to download apps from only official app marketplaces. Google's Play Store and Apple's App Store don't detect every threat, but you can be sure they're looking for apps that might harm their users.

Second, users should read the reviews of an app before they download it. These postings usually contain warning signs of malicious behavior.

Last but not least, be on the lookout for fishy permissions. If a Minecraft mod needs administrator privileges to a device, it's probably not legitimate.

Users who've suffered an infection at the hands of one of these fake mods should revoke their administrator access by going to Settings > Security > Device administrators. They can then uninstall the apps using Settings > Application Manager.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

No comments yet.

Leave a Reply