Scareware: Fake Minecraft apps Scare Hundreds of Thousands on Google Play

ESET has discovered over 30 scareware applications available for download from the Google Play store. The malicious applications, which pretended to be cheats for the popular Minecraft game, have been installed by more than 600.000 Android users.

It’s not easy to slip a malicious application into Google’s official Play Store these days. Google’s automated application scanner, Bouncer, helps in reducing the number of malware on the official app store. Yet, some baddies do occasionally get by, as demonstrated by our recent discovery of over 30 scareware applications that have been uploaded to the Play store in the course of the last 9 months

Figure 1 Removed fake applications

Most of the rogue applications pretended to be cheats for the popular Minecraft game. All of the discovered apps were fake, in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a “dangerous virus”. Users were then directed to remove viruses by activating a premium-rate SMS subscription that would cost them 4.80 EUR per week.

All of the identified scareware apps behaved in a similar way, the only differences being in the names and icons of the applications. They were uploaded to the Play store by different developer accounts, but we assume that these were all created by one person.

The first scareware applications were uploaded to the store in August 2014. During the time they were online, they received poor user reviews and negative comments. Yet, according to public data from the Google Play store, several of them were installed between 100.000 – 500.000 times and the total number of installations of all 33 scareware applications lies between 660.000 and 2.800.000.

Figure 2 Cheats For Minecraft

ESET security software detects this threat as Android/FakeApp.AL. After our notification, Google has taken the apps down from the Play store.


After installation, all of the applications looked and behaved in a similar manner. The apps’ icons resembled the official Minecraft game.

Figure 3 Application icons

After launching the application, the whole screen was covered with flashing advertisement banners. The app itself has three buttons – Start, Options, Exit, but none of their functionality was implemented in the code.

The language of the scareware advertisements is based on the geographic location of the device – a common practice in ransomware.

Figures 4,5 Virus was found?

Any user interaction with the application – either clicking the Start, Options, and Exit buttons, or clicking on one of the numerous ad banners – will lead to an alert window popping up, saying that the device is infected with a virus and gives the victim the possibility to remove it.

Clicking on the alert leads to another step of the scam – several websites with more scareware messages. One of these websites tries to appear as if they belonged to the legitimate AV vendor, G-Data.

Figures 6-8 Scareware messages and a fake G-Data Mobile Security webpage

In the endgame of the scam, the scareware prepares an SMS in the system default SMS application. The text of the SMS appears as an activation of the antivirus product. The application does not have permissions to send the SMS itself and solely relies tricking the user to do it manually by social engineering. If the user falls for the scam, it will cost him 4.80 € per week.

Note that the scam webpage has nothing to do with the legitimate G Data security software.


The damage that this recent Android malware discovery can inflict is perhaps less acute when compared to the file-encrypting Android/Simplocker but the seriousness of this threat lies in the fact that it may have been downloaded by almost three million users from the official Google Play store.

Google’s Bouncer has been used since late 2011 on all uploaded applications and it has decreased the percentage of malicious applications in the store by about 40%. In March 2015 Google announced that all applications will also be reviewed by humans. This step should increase security and further lower the amount of malicious applications on Google Play.

Generally, Android users can effectively avoid the installation of malicious or unwanted applications. Refrain from downloading apps from unofficial sources and keep security software on your Android (ESET Mobile Security, for example) up to date. It is also advisable to spend some extra time to read reviews from people who already installed it and to consider what permissions an app requests during installation.

by Lukas Stefanko, ESET

Popular GTA V mods come with unwanted malware

Two popular Grand Theft Auto V modifications have been found to contain unwanted additional malware, according to The Escapist.

Modifications allow fans of games to change the way they play in fundamental ways, and are often done with the blessing of the publishers. The two mods in question are Angry Planes and Simple Noclip. The former spawns aggressive planes which attack the player, while the latter allows players to walk through walls and objects. Although both delivered the promised features, they came up with a nasty surprise exposed on GTAForums.

It seems the downloads come with a keylogger, which sends its data to a remote server. The Escapist also notes that it contains modules for ‘flooding targets with network traffic.”

Although not everyone has reported being able to find evidence of the malware – which seems to come packaged as a file called fade.exe – gamers who have run the mods are warned to take no chances, and to change all their passwords to be on the safe side. It is not unheard of for malware to remove its files to avoid detection, after all. That said, The Independent claims that users who haven’t run the mods may be safe, as “just downloading it is thought not to cause the problems.”

The site has since removed the two mods, and promised a more thorough approvals process in future in order to flush out malicious modifications before they can do their damage. “If you post compiled scripts in .asi, .dll, or .net.dll formats, the approval process will be much lengthier. We recommend avoiding these formats completely and publishing your mods as .lua or .cs source files, these kinds of scripts will be approved very quickly because the source can be verified,” the site owners wrote.

360b /
by Alan Martin, ESET

Monthly Threat Report: April 2015


The Top Ten Threats

1. Win32/Adware.MultiPlug
Previous Ranking: 1
Percentage Detected: 3.57%
Win32/Adware.Multiplug is a Possible Unwanted Application that once it gets a foothold on the users system might cause applications to display pop-up advertising windows during internet browsing.

2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 1.81%
Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP is used for communication with the C&C to receive new commands. The worm may delete the following folders:

3. JS/Kryptik.I
Previous Ranking: 7
Percentage Detected: 1.70%
JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

4. Win32/TrojanDownloader.Waski
Previous Ranking: 3
Percentage Detected: 1.67%
Win32/TrojanDownloader.Waski is a Trojan that uses HTTP to try to download other malware. It contains a list of two URLs and tries to download a file from the addresses. The file is stored in the location %temp%\¬miy.exe, and is then executed.

5. LNK/Agent.AV
Previous Ranking: 6
Percentage Detected: 1.35%
LNK/Agent.AV is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

6. Win32/Sality
Previous Ranking: 4
Percentage Detected: 1.27%
Sality is a polymorphic file infector. When executed registry keys are created or deleted related to security applications in the system and to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature:

7. Win32/Ramnit
Previous Ranking: 9
Percentage Detected: 1.20%
This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability (CVE-2010-2568) found on the system that allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

8. HTML/ScrInject
Previous Ranking: N/A
Percentage Detected: 1.19%
Generic detection of HTML web pages containing obfuscated scripts or iframe tags that automatically redirect to the malware download.

9. Win32/AdWare.ConvertAd
Previous Ranking: N/A
Percentage Detected: 1.17%
Win32/Adware.ConvertAd is an adware used for delivery of unsolicited advertisements. The adware is usually a part of other malware.

10. HTML/Refresh
Previous Ranking: 5
Percentage Detected: 1.14%
HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

Love hurts: Online dating scams are Australia’s top financial fraud

Australians were scammed out of around AUS$82 million (US$66 million) during 2014, with online dating fraud accounting for the biggest losses, reports

The figures courtesy of the Australian Competition and Consumer Commission (ACCC) show that more than 91,000 scam complaints were received last year, with one in ten victims tricked out of more than AUS$10,000 (US$8,000). For 14 victims, the losses were greater than AUS$500,000 (US$400,000).

The report notes that romance-based scams accounted for more than a third of financial fraud, as AUS$28 million (US$22 million) was stolen from victims who sent money to false admirers. This was the top category in the ACCC’s report, followed by get-rich-quick investment schemes, says NDTV Gadgets.

“There is a common misconception that scam victims are only the greedy and gullible,” said ACCC deputy chairman Delia Rickard.

“Anyone can fall victim to a scam and we are all vulnerable at some time in our lives to those unscrupulous individuals willing to take advantage of our better nature or simple mistakes.”

The ACCC report also claims that the actual amount stolen is likely to be higher than the sum of complaints, with some victims either unaware of the crimes or too embarrassed to report them. Surprisingly, most of the frauds that were reported occurred by phone, via calls or text message (53%), while 38% were online. Rickard warns, though, that data for those phone scams may have been captured online.

“Increasingly, scammers are using personal information gleaned from social media profiles to target victims for a fraudulent relationship or investment,” she said.

“Scammers are constantly ‘phishing’ for your personal details such as your name, address and birthdate and this will only increase too as your personal data becomes more valuable to them.”

Internet users looking for love are advised to secure their social media profiles, as well as protecting themselves against online dating scams by following the advice in our video below.

by Kyle Ellison, ESET

How did the Internet change the everyday work of a security researcher?

Every May 17th is World Telecommunication and Information Society Day, which attempts to raise global awareness on how the Internet and new technologies changed our society, and the opportunities they gave to improve our lifestyle. This special date, also known as Internet Day in some Spanish-speaking countries, is an opportunity for us at ESET to celebrate its existence by remembering what it was like to work in security before the Internet appeared.

What do you think it was like to do the everyday work of a security researcher in the 1980’s? What has changed in terms of protection against threats? And, how has the procedure to find and investigate security issues changed?

This and other queries were answered by two of ESET’s respected security researchers, with decades of experience and a lot of stories to tell: Aryeh Goretsky and David Harley.

ESET’s Distinguished Researcher Aryeh Goretsky has been around technology and computers ever since he used a Commodore PET for the first time in the late 1970’s. H having worked now for some two-and-a-half decades in this industry, he has an interesting point of view when it comes to the rise of the Internet:

“We used to say that computer viruses spread at the speed at which courier and postal services could ship and deliver infected floppies.”

I suppose the Internet has been something of a mixed blessing for me. While it has enabled all sorts of means of communication that simply were not possible before (think instant messaging) as well as allowing existing lines of communication to occur at faster rates, it has also allowed malicious code to spread orders of magnitude more quickly than it previously could: before that, network connections often meant computers calling each other with  modems over telephone lines, or overnighting a set of floppy diskettes or CDs by courier, since that was faster than the network communications we had.

In the beginning, we used to say that computer viruses spread at the speed at which courier and postal services could ship and deliver infected floppies. Nowadays, a worm or other malware can become globally pandemic in an hour or two.”

In the early days of malware, floppy disks were the main means of distribution.

Meanwhile, ESET Senior Research Fellow David Harley started his career in information technology in the 1980’s and, ever since, he says industry puts up with him because, well, he’s been around so long –having written a number of Internet FAQs and articles on programming and security back when those were issues that most people didn’t think of as being important to them.

“In the 1980s, when I moved into information technology as a career, the Internet had already existed for a couple of decades – in fact, some of its underlying technologies, notably the telephone system, are far older. Nonetheless, it was a very different environment. There was no World Wide Web as such, though there were protocols and utilities subsequently assimilated into and/or replaced by web browser technology (archie, gopher, veronica).

“I first began to work from home – using a US Robotics modem borrowed from work that cost more than my own PC and occupied almost as much space as a trio of 12” baguettes.”

Access to the handful of machines that were permanently connected to the Internet was usually filtered for home users through services like AOL. Until I left the UK’s National Health Service in 1989, my online communications with the outside world were mostly restricted to services that sidestepped the ‘proper’ Internet – bulletin boards and the UK’s Prestel videotex/Viewdata system (rather like the teletext systems that have been gradually vanishing from television in recent years).

Moving to the Imperial Cancer Research Fund (now merged into Cancer Research UK) gave me direct access to more hardware – one of the (then) new 80386-driven PCs, a Mac IIcx, and a Sun workstation – but even when we got our own permanent connection to the Internet, it was limited to terminal access to a server in the NOC (Network Ops Centre) via telnet, kermit, and FTP. Still, it gave me access to useful resources such as mailing lists, security newsgroups, and vendor web sites.

And when I first began to work from home – using a US Robotics modem borrowed from work that cost more than my own PC and occupied almost as much space as a trio of 12” baguettes – I was able to add those resources to my home access to CIX and Compuserve (which both already gave me email, and access to various useful forums). Indeed, it’s through all these resources that I first met (virtually at any rate) many of the people I work with now (inside and outside ESET), and work I did on Internet FAQs provided a basis for some of my early articles, papers and books.”

Dial up modems were once our main way of accessing the internet.

So how did the Internet change our lives and what new possibilities emerged? Aryeh Goretsky says:

“Most financial crimes use computers instead of guns to accomplish their thefts.”

The Internet changed not just how people did existing things on their computers, like writing letters or drawing pictures, but gave rise to new services as well. Electronic banking existed well before—it was available on some dial-up services like CompuServe, Prodigy and QuantumLink, to name a few—but it was not until ISPs came onto the scene that banking followed, eager to give their customers new conveniences and services.

PayPal emerged as the de-facto standard for person-to-person financial transactions, and even criminals had their own payment systems, like e-gold and Liberty Reserve. With all of this money moving around the web, it wasn’t long before criminals looked for ways to steal it, and today, most financial crimes use computers instead of guns to accomplish their thefts.”


While according to David Harley:

“By 2001, Windows and Mac machines were able to make good use of the Internet and the Web in and out of the office. Indeed, working from home (which I’ve done full-time since 2006) tends to give the computer user more control and wider scope in terms of the services and applications used, at any rate if s/he uses his or her own device and is not reliant on an employer for Internet access.

The flipside is that users were more able to put themselves in harm’s way when the IT unit wasn’t responsible for their connection: by that time there was a lot more to worry about than infected floppy disks, with threats of all sorts capable of traversing the ether almost instantaneously, and keeping up with security news and having good network protection was more important than ever. Of course that hasn’t changed with the onset of BYOD/CYOD.”


And what does this mean for a security researcher? Aryeh Goretsky says there’s a challenge:

“It means that things move much faster, and as a result, we have to respond more quickly.”

It means that things move much faster, and as a result, we have to respond more quickly.  Fortunately, the same Internet which empowers all the positive things allows us to communicate more efficiently as well, sharing threat intelligence and data.

And that means we can do things like leverage the power of the advances in networking, software and hardware that allow the Internet to run at scale not just to distribute things like updates more quickly than before, but reduce false positives, compatibility issues and other types of problems that plagued the old reactive kinds of anti-virus software that were reactive.”

The always-on internet connections mean that it's easier than ever to keep software updated.

That being said, David Harley concludes:

“The interactive nature of today’s web means that there is more information (and misinformation) out there than any one person can ever hope to gather and verify.”

The Internet gives me access to my colleagues at ESET, specialist mailing lists that share threat intelligence (and much else), the media, and a multitude of resources that simply didn’t exist or were impossible to find in the early 90s. Of course it’s easier to publish timely commentary (or papers, manuals, FAQs and so forth) with standard blogging and CMS tools than it was with lynx on a Unix server, and researching the topics for that content is far easier.

However, those advantages also have a flipside. The interactive nature of today’s web means that there is more information (and misinformation) out there than any one person can ever hope to gather and verify, unless it concerns an unusually esoteric topic.

It’s easier for someone who already has expertise in a particular field to select and evaluate information from that field, of course, but what is the everyday user supposed to do when anyone with a laptop – or even a cell phone – can find somewhere to say what they like?”

Rob Wilson /
by Sabrina Pagnotta, ESET

5 signs that an app could be risky

There are hundreds of thousands of applications available for iOS, Android, Windows and Blackberry, via their respective app stores and third-party sites. But not all of them are worth your time and money. We Live Security looks at five signs the app you’re about to download could be risky, and worth investigating further.

Excessive permissions

Perhaps the biggest complaint right now with mobile applications, irrespective of which operating system they run, is that they require too many permissions before you can download the application.

For example, take your average free flashlight app. There’s no real reason for any of these to have access to core device functionality and yet many apps like these want to tap your contacts, photos and location. There are also other apps, such as one showing cinema showing times, requiring access to your photos.

Why is this risky? Well, for starters, you don’t know if this vendor is securing this information and, more likely, if they are collecting and then selling this information onto third-parties like ad networks and analytics companies.

And with many of these apps asking for your location, tracking becomes a potential concern with some experts suggesting that the information, if it ended up in the wrong hands, could alert criminals to when you’re not at home.

Pop-up ads

Increasingly, mobile apps on app storefronts are free but with a catch; the free app will serve ads and come with standard features, while those seeking an ad-free experience with more functionality will have to upgrade in-app.

On most occasions this is a mild irritation but there have been occasions where ad networks, used to insert ads into apps, have been hacked. For instance, the “Vulna” ad library, which collected personal info about users, could be used to attack Android devices. Researchers estimated that apps running Vulna in the background had been downloaded more than 200 million times.

Name looks similar to existing app

iTunes and Google Play are generally very good at spotting malicious apps, but some do still get through the app review process. Meanwhile, other users are putting themselves at substantially more risk by downloading apps from third-party app stores.

It’s on these third-party app stores that you need to be especially vigilant, watching out for malicious software disguised to look and feel like the legitimate app. They could be a carbon copy, but still be secretly harvesting your details. Alternatively, and this is especially true on those third-party market places, they could be legitimate, but cracked and repackaged by criminals.

In-app purchases

In-app purchases are a risk, but not so much from a security perspective. Instead, they are a concern because users can unknowingly spend much more money when inside an app than initially intended.

There have been numerous stories about children, using their parents’ iPhone or iPad, racking up application bills into the tens of thousands. This forced Apple to last year settle with the FTC for $32.5 million to provide full-refunds to certain apps.

Users, and especially those with children, should therefore look to limit the child controls on their iOS and Android devices. In iOS, go to settings, general, restrictions and ‘enable restrictions’. For Android, go to the app settings, user controls and set a PIN to confirm in-app purchases.


Authentication is always an issue with any online service; passwords are crackable and difficult to manage, while even biometrics and Single Sign On (SSO) have flaws.

The latter, which lets you use your Facebook or Twitter profile to log-in to various sites, is a bonus for speed and convenience but isn’t immune from attack. Hackers could well launch a brute-force attack against the passwords used for these social networks – and subsequently gain access to any other accounts using the same credentials to log-in.

Biometrics is also not infallible if there’s no back-up authentication method; just last week, researchers showed how they could clone a fingerprint on a Samsung Galaxy S5.

Furthermore, even though Apple prohibits iOS developers from accessing the device identifier, the UDID, a study from Appthority last summer showed that 26 percent of the top iOS apps still did.

The lessons in all of this is only use SSO for apps and sites you really trust, and to use two-factor-authentication (2FA) where possible as a secondary method for authentication.

Unencrypted data

The sad fact is that many application developers are rushing their apps to market so quickly that they sometimes don’t get the code right, with security and privacy often not in-built from the start. Look at all those apps with exposed vulnerabilities and there’s your proof.

A requirement of all applications should be that they encrypt your data from end-to-end – including when in transit and when at rest. However, as apps like WhatsApp, Viber and numerous others have found out, a lack of encryption could be exploited, enabling hackers to steal all data about the user, including name, email address, phone number, home address, and credit card info.

Sadly for users, there’s no immediate way to check if an app is securing the data it saves or transmits. The only thing you can do is check the terms and conditions, the permissions and read app reviews. Those who are technically more advanced could monitor app data transmission and storage, but this is more difficult to do.

by Karl Thomas, ESET

Jamie Oliver website potentially infecting visitors

The website of celebrity TV chef and food activist Jamie Oliver has been compromised with malware for the third time this year, potentially infecting the computers of the site’s visitors, reports The Register.

As with the most recent attack in February, the problem stems from malicious links found on all pages of the site, embedded into iFrames and now shortened links that redirect to the Fiesta exploit kit. Once clicked, the kit will attempt to infect the victim with a Flash exploit, a Java exploit and two password-stealing payloads.

As the BBC explains, victims without adequate security may find their computers infected with a program that runs permanently in the background, scanning for passwords which it forwards to the scammers without the users’ knowledge.

A spokesperson for the Jamie Oliver website said the team are working “to find the issue once and for all”, which will come as good news to the site’s regular visitors after the problem was declared fixed following the last attack.

“We’ve implemented daily… malware detection scans, also an industry leading web application firewall to protect against all common security attacks which has been blocking numerous hacking attempts,” said a spokesperson for the website.

“We’re also running daily manual checks which have detected and cleaned a number of threats although it’s important to note that we have had no reports from any users that have been put at risk.”

Photo: Mr Pics /

by Kyle Ellison, ESET


Get every new post delivered to your Inbox.

Join 94 other followers