87 fake Minecraft mods exposed Android users to scammy websites, aggressive ads

So about those permissions…

David bisson
David Bisson

Dodgy minecraft mod

Google has removed 87 fake Minecraft mods from its Play Store that exposed Android users to scammy websites and aggressive ads.

The fake applications, which were reported to Google between 16 March and 21 March, fall into two categories. First, 14 of them display out-of-app advertisements to users. They do so via the same ad-displaying downloader known as “Android/TrojanDownloader.Agent.JL.”

1 2
Ad-displaying downloader disguised as Minecraft mods on Google Play. (Source: ESET)

Upon successful installation, each malicious app asks users for administrator privileges. They then prompt users to install an additional module known as “Block Launcher Pro.” This process loads up Android/Hiddad.DA as its payload.

Sign up to our free newsletter.
Security news, advice, and tips.

What happens next, you ask?

Nothing much! The app displays a Minecraft screen with no clickable elements. That’s because all 14 of these apps’ sole functionality is to interrupt users’ activity and display mobile ads like this one.

Unwanted ad
Out-of-app advertisements showing up on victim’s device. (Source: ESET)

But ESET malware analyst Lukas Stefanko says the threat could get worse. As he explains in a blog post:

“Since the result of this evolution – a downloader – is able to download any sort of additional malware to the victim’s device, there is no reason to believe malware authors would stop at only displaying unwanted ads. Seeing they can lure thousands of users into installing their deceptive applications, more dangerous threats distributed under similar disguise might be the next logical step.”

You can view a video of one of these fake Minecraft mods below.

87 infected Minecraft mods discovered in Google Play

The remaining 73 fake mods for Minecraft, a popular computer game which saw the login credentials of 1800+ of its users leaked online in early 2015, are all detected as Android/FakeApp.FG. Why? Because they are illegitimate apps!

None of the programs download any mods when users click “Download” button. Instead the button opens a mobile browser window and redirects them to all sorts of websites containing ads, porn, surveys, and fake antivirus warnings.

5 2 768x683
Fake download screen displayed after launch. (Source: ESET)

So what’s our moral of the story here?

First, it’s a good idea to download apps from only official app marketplaces. Google’s Play Store and Apple’s App Store don’t detect every threat, but you can be sure they’re looking for apps that might harm their users.

Second, users should read the reviews of an app before they download it. These postings usually contain warning signs of malicious behavior.

Last but not least, be on the lookout for fishy permissions. If a Minecraft mod needs administrator privileges to a device, it’s probably not legitimate.

Users who’ve suffered an infection at the hands of one of these fake mods should revoke their administrator access by going to Settings > Security > Device administrators. They can then uninstall the apps using Settings > Application Manager.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.