Published on March 24th, 2017 | by admin

ESET Warns Minecraft Players of Fake Mods on Google Play

ESET researchers have discovered 87 malicious apps disguised as mods for Minecraft with nearly a million installs on the official app store. This means up to 990,000 Android mobile users have been exposed to malicious content and aggressive ad and scam activity by installing these fake mods.

The malicious activity can be divided into two main categories: ad-displaying downloaders detected by ESET as Android/TrojanDownloader.Agent.JL and fake apps redirecting users to scam websites, detected by ESET as Android/FakeApp.FG.

Please see below more information on:

  • The two categories of malicious apps, where they originated and how many people have downloaded them
  • How the malicious apps work
  • How to know you’ve been infected, and what to do if so
  • Screenshots of the apps

You can visit the ESET blog for further details about this malware and see the video of how it works on Youtube here.

About the two categories of the malicious apps

This is the second report by ESET of malicious apps abusing the popularity of the Minecraft brand after a previous scareware incident also involving fake Minecraft apps.

With up to 990,000 users having installed these fake mods, ESET researchers divided the apps into two categories: the ad-displaying downloader detected by ESET as Android/TrojanDownloader.Agent.JL and fake apps redirecting users to scam websites, detected as Android/FakeApp.FG.

  1. Ad-displaying downloader – Android/TrojanDownloader.Agent.JL

In this first category, 14 apps impersonating Minecraft mods with up to 80,000 installs have been discovered. This trojan uses an additional component to display out-of-app advertisements – similar to the ad-displaying dropper analysed by ESET earlier this month.

Here the components act like a module necessary for installing the mods. The module isn’t a part of the original app – it has to be downloaded from the web and manually installed by the user after launch. Having no real functionality and displaying aggressive ads, the apps aren’t very popular among users – as shown in the poor ratings and widely negative reviews on Google Play.

  1. Fake apps redirecting users to scam websites – Android/FakeApp.FG

ESET has reported another 73 instances using redirects to scam websites, that have reached up to 910,000 installs since being uploaded to Google Play between January and March 2017.

Once launched, the apps display a screen with a download button. Clicking the button does not download any mods; instead, it redirects the user to a website opened in a browser and displays all kinds of obtrusive content.

How the apps operate

  1. Ad-displaying downloader – Android/TrojanDownloader.Agent.JL

When launched, the apps immediately request device administrator rights. Once device administrator is activated, a screen with an “INSTALL MOD” button is displayed. Simultaneously, a push notification informs the user that a “special Block Launcher” is needed in order to proceed with the installation.

After clicking the “INSTALL MOD” button, the user is prompted to install the additional module “Block Launcher Pro”, granting it several intrusive permissions (including device administrator rights) in the process. The payload downloaded during the installation is detected by ESET as Android/Hiddad.DA.

Installing the module brings the user to a dead end – a static Minecraft-themed screen with no clickable elements. The only actual function of the app and its module is to display ads – which now show up on the user’s device, interrupting their activity.

  1. Fake apps redirecting users to scam websites – Android/FakeApp.FG

Once launched, the apps display a screen with a download button. Clicking the button doesn’t download any mods, instead it redirects the user to a website opened in a browser.

The websites display all kinds of obtrusive content – ranging from ads, through surveys, free coupon offers, jackpot wins, porn, to fake updates and fake virus warnings attempting to scare the user. The messages are displayed to users in different languages based on their IP addresses.

How to know if your device has been infected and what to do to protect yourself

If you are a regular player of Minecraft and you like to download these apps, you may have come across one of these malicious fake apps. If you are unsure, the signs are easy to recognise: for one, the apps don’t work and you may have seen a random scam message upon clicking the fake download button.

ESET recommends following these steps to remove threats manually:

  • Only for the ad-displaying downloader, first deactivate device administrator rights for both the app and the downloaded module found under Settings -> Security -> Device administrators, as shown in Fig. 8.
  • For all these apps, uninstall by going to Settings -> Application Manager.

Alternatively, use a reputable mobile security solution to detect and remove the threats and ensure your mobile is malware-free

“I always recommend opting for official app stores when downloading all kind of apps, as a way of avoiding malware,” says Nick FitzGerald, Senior Research Fellow at ESET. “However, that alone would not have helped in these cases. So, even if on an official app store, it is best to be extra-cautious when downloading apps offering additional and attractive functions to existing applications – especially if they are not released by the official app developer.

“Checking the popularity and reviews of apps before installing is also generally a good indicator of the content of these apps and of their untrustworthiness. Low ratings and angry reviews are a great indicator of the risk users could run. Also, do not be a ‘canary in the coal mine’ – if an app has very few reviews, wait for a few days and check back!”

About the Author'

Back to Top ↑
  • Quick Navigation

  • Advertisement

  • Latest Posts

  • First Look

  • Join us on Facebook