Minecraft is a popular video game that can be played on a desktop or mobile. This is a sandbox game developed by Mojang Studios. Players create and break apart various kinds of blocks in 3-dimensional worlds and they can select to enjoy Survivor Mode to survive in the wild or Creative Mode to focus on being creative.
Minecraft’s popularity has led to many attempts to recreate similar games. As a result, there are so many games with the same concept as Minecraft worldwide. Even on Google Play, we can easily search for similar games. McAfee Mobile Research Team recently discovered 38 games with hidden advertising. These HiddenAds applications discovered on the Google Play Store and installed by at least 35 million users worldwide, have been found to send packets stealthily for advertising revenue in bulk.
McAfee, a member of the App Defense Alliance, focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices, and McAfee Mobile Security detects this threat as Android/HiddenAds.BJL. For more information, and to get fully protected, visit McAfee Mobile Security.
How is it distributed to users?
They were officially uploaded to Google Play under various titles and package names. Many games have already been downloaded by users, including apps with 10M+ downloads.
Figure 1. 10M+ downloaded app being one of them
Also, because they can play the game, users can’t notice the large amount of advertising packets being generated on their devices.
Figure 2. Game screen that can be played
What does it do?
After the game is running, the user can play without any problems in the block-based world, only like Minecraft-type games. However, advertisement packets of various domains continuously occur on the device. For example, the four packets shown in the picture are questionable packets generated by the ads libraries of Unity, Supersonic, Google, and AppLovin. Unfortunately, nothing is displayed on the game screen.
Figure 3. Continuous advertising packets
What’s even more interesting is the initial network packets of these games. The structure of the initial packet is very similar. All domains are different. But using 3.txt as the path is equivalent. That is, packets in the form of https://(random).netlify.app/3.txt commonly occur first. The picture below is an example of the first packet extracted from three different apps.
Figure 4. Similarity of the initial packet form
Users affected worldwide
This threat has been detected in various countries around the world. Indicated by our telemetry, the threat has been most prominently detected in the United States, Canada, South Korea, and Brazil.
Figure 5. Users around the world who are widely affected
As we featured in the McAfee 2023 Consumer Mobile Threat Report, one of the most accessible content for young people using mobile devices is games. Malware authors are also aware of this and try to hide their malicious features inside games. Not only is it difficult for general users to find these hidden features, but they can easily trust games from official stores such as Google Play.
We first recommend that users thoroughly review user reviews before downloading applications from the store. And users should install security software on their devices and always keep up to date.
Indicators of Compromise
| Package Name | Application Name | SHA256 | GooglePlay Downloads |
| com.good.robo.game.builder.craft.block | Block Box Master Diamond | 300343e701afddbf32bca62916fd717f2af6e8a98fd78cc50d11f1154971d857 | 10M+ |
| com.craft.world.fairy.fun.everyday.block | Craft Sword Mini Fun | 72fa914ad3460f9e696ca2264fc899cad20b06b640a7adf8cfe87dd0ea19e137 | 5M+ |
| com.skyland.pet.realm.block.rain.craft | Block Box Skyland Sword | d15713467be2f60b2bc548ddb24f202eb64f2aed3fb8801daec14e708f5cee5b | 5M+ |
| com.skyland.fun.block.game.monster.craft | Craft Monster Crazy Sword | cadbc904e77feaaf4294d218808f43d50809a87202292e78b0e6a3e164de6851 | 5M+ |
| com.monster.craft.block.fun.robo.fairy | Block Pro Forrest Diamond | 08429992bef8259e3011af36ad9d3c2a61b8df384860fd2a007a32a1e4d634af | 1M+ |
| com.cliffs.realm.block.craft.rain.vip | Block Game Skyland Forrest | 34ef407f2bedfd8485f6a178f14ee023d395cb9b76ff1754e8733c1fc9ce01fb | 1M+ |
| com.block.builder.build.clever.craft.boy | Block Rainbow Sword Dragon | 23aa3cc9481591b524a442fa8df485226e21da9d960dc5792af4ae2a096593d5 | 1M+ |
| com.fun.skyland.craft.block.monster.loki | Craft Rainbow Mini Builder | 88fa7de264c5880e65b926df4f75ac6a2900e3718d9d3576207614e20f674068 | 1M+ |
| com.skyland.craft.caves.game.monster.block | Block Forrest Tree Crazy | 010c081e5fda58d6508980528efb4f75e572d564ca9b5273db58193c59987abf | 1M+ |
| com.box.block.craft.builder.cliffs.build | Craft Clever Monster Castle | 11c5e2124e47380d5a4033c08b2a137612a838bc46f720fba2a8fe75d0cf4224 | 500K+ |
| com.block.sun.game.box.build.craft | Block Monster Diamond Dragon | 19ad0dc40772d29f7f39b3a185abe50d0917cacf5f7bdc577839b541f61f7ac0 | 500K+ |
| com.builder.craft.diamond.block.clever.robo | Craft World Fun Robo | 746e2f552fda2e2e9966fecf6735ebd5a104296cde7208754e9b80236d13e853 | 500K+ |
| com.block.master.boy.craft.cliffs.diamond | Block Pixelart Tree Pro | 25b22e14f0bb79fc6b9994faec984501d0a2bf5573835d411eb8a721a8c2e397 | 500K+ |
| com.fun.block.everyday.boy.robo.craft | Craft Mini Lucky Fun | 9fdddf4a77909fd1d302c8f39912a41483634db66d30f89f75b19739eb8471ff | 500K+ |
| com.builder.craft.block.sun.game.mini | Block Earth Skyland World | b9284db049c0b641a6b760e7716eb3561e1b6b1f11df8048e9736eb286c2beed | 500K+ |
| com.dragon.craft.world.pixelart.block.vip | Block Rainbow Monster Castle | d6984e08465f08e9e39a0cad8da4c1e405b3aa414608a6d0eaa5409e7ed8eac1 | 500K+ |
| com.craft.vip.earth.everyday.block.game | Block Fun Rainbow Builder | f3077681623d9ce32dc6a9cbf5d6ab7041297bf2a07c02ee327c730e41927c5f | 500K+ |
| com.block.good.mini.craft.box.best | Craft Dragon Diamond Robo | e685fb5a426fe587c3302bbd249f8aa9e152c1de9b170133dfb492ed5552acc9 | 500K+ |
| com.lucky.robo.craft.loki.block.good | Block World Tree Monster | 06c3ba10604c38006fd34406edd47373074d57c237c880a19fb8d3f34572417d | 100K+ |
| com.caves.robo.craft.dragon.block.earth | Block Diamond Boy Pro | 122406962c303eaeb9839d767835a82ae9d745988deeef4c554e1750a5106cf0 | 100K+ |
| com.tree.world.city.block.craft.crazy | Block Lucky Master Earth | e69fe06cb77626be76f2c92ad4229f6eb04c06c73e153d5424386a1309adbd15 | 100K+ |
| com.game.skyland.craft.monster.block.best | Craft Forrest Mini Fun | e5fc2e6e3749cb4787a8bc5387ebb7802a2d3f9b408e4d2d07ee800056bb3e16 | 100K+ |
| com.everyday.vip.caves.house.block.craft | Craft Sword City Pro | 318165fd8d77a63ca221f5d3ee163e6f2d6df1f2df5c169aca6aca23aef2cf25 | 100K+ |
| com.cell.rain.block.craft.loki.fairy | Block Loki Monster Builder | 4f22be2ce64376f046ca180bd9933edcd62fd36f4a7abc39edf194f7170e2534 | 100K+ |
| com.block.good.sun.boy.craft.fun | Block Boy Earth Mini | 3b0cf56fb5929d23415259b718af15118c44cf918324cc62c1134bf9bc0f2a00 | 100K+ |
| com.fairy.builder.sun.skyland.craft.block | Block Crazy Builder City | 537638903f31e32612bddc79a483cb2c7546966cca64c5becec91d6fc4835e22 | 100K+ |
| com.monster.house.good.block.earth.craft | Craft Sword Vip Pixelart | 5f85f020eb8afc768e56167a6d1b75b6d416ecb1ec335d4c1edb6de8f93a3cad | 100K+ |
| com.block.best.boy.craft.sword.cell | Block City Fun Diamond | 698544a913cfa5df0b2bb5d818cc0394c653c9884502a84b9dec979f8850b1e7 | 100K+ |
| com.crazy.clever.city.block.caves.craft | Craft City Loki Rainbow | ba50dc2d2aeef9220ab5ff8699827bf68bc06caeef1d24cb8d02d00025fcb41c | 100K+ |
| com.cliffs.builder.craft.block.lucky.earth | Craft Boy Clever Sun | 77962047b32a44c472b89d9641d7783a3e72c156b60eaaec74df725ffdc4671b | 100K+ |
| com.lucky.best.block.game.diamond.craft | Block City Dragon Sun | ac3d0b79903b1e63b449b64276075b337b002bb9a9a9636a47fdd1fb7a0fe368 | 100K+ |
| com.build.craft.boy.loki.master.block | Craft Loki Forrest Monster | a2db1eba73d911142134ee127897d5857c521135a8ee768ae172ae2d2ee7b1d4 | 100K+ |
| com.build.lokicrafts.master.forest | Lokicraft: Forrest Survival 3D | 0f53996f5e3ec593ed09e55baf1f93d32d891f7d7e58a9bf19594b235d3a8a84 | 50K+ |
| com.sun.realm.craft.lucky.dragon.block | Craft Castle Sun Rain | 1e74e73bc29ce1f55740e52250506447b431eb8a4c20dfc75fd118b05ca18674 | 50K+ |
| com.block.craft.vip.sun.game.box | Craft Game Earth World | 7483b6a493c0f4f6309e21cc553f112da191b882f96a87bce8d0f54328ac7525 | 50K+ |
| com.rain.crazy.lucky.pro.block.craft | Craft Lucky Castle Builder | de5eb8284ed56e91e665d13be459b9a0708fa96549a57e81aa7c11388ebfa535 | 50K+ |
| com.JavaKidz.attacksnake | Craftsman: Building City 2022 | e19fcc55ec4729d52dc0f732da02dc5830a2f78ec2b1f37969ee3c7fe16ddb37 | 50K+ |
| com.skyland.house.block.craft.crazy.vip | Craft Rainbow Pro Rain | a7675a08a0b960f042a02710def8dd445d9109ca9da795aed8e69a79e014b46f | 50K+ |
Introducing McAfee+
Identity theft protection and privacy for your digital life
Download McAfee+ Now
source: McAfee Labs
