If you download Minecraft mods from Google Play, read on …

Minecraft players have been exposed to scams and aggressive ads brought by 87 fake Minecraft mods recently spotted on Google Play.

The apps can be divided into two categories – the ad-displaying downloader detected by ESET as Android/TrojanDownloader.Agent.JL and fake apps redirecting users to scam websites, detected as Android/FakeApp.FG.

Altogether, the 87 fake mods reached up to 990,000 installs before we reported them on March 16th and 21st.

Ad-displaying downloader

Minecraft

In the first category, 14 apps impersonating Minecraft mods with up to 80,000 installs have been discovered. Similar to the ad-displaying dropper we analyzed earlier in March, this trojan uses an additional component to display out-of-app advertisements.

In this case, the component acts like a module necessary for installing the mods. The module isn’t a part of the original app – it has to be downloaded from the web and manually installed by the user after launch.

Having no real functionality and displaying aggressive ads, the apps aren’t very popular among users – as shown in the poor ratings and widely negative reviews on Google Play.

Minecraft

How does it operate?

When launched, the apps immediately request device administrator rights. Once device administrator is activated, a screen with an “INSTALL MOD” button is displayed. Simultaneously, a push notification informs the user that a “special Block Launcher” is needed in order to proceed with the installation.

After clicking the “INSTALL MOD” button, the user is prompted to install the additional module “Block Launcher Pro”, granting it several intrusive permissions (including device administrator rights) in the process. The payload downloaded during the installation is detected by ESET as Android/Hiddad.DA.

Installing the module brings the user to a dead end – a static Minecraft-themed screen with no clickable elements. The only actual function of the app and its module is to display ads – which now show up on the user’s device, interrupting their activity.

Minecraft

Interestingly, this ad-displaying downloader is an evolved version of an app that was originally uploaded to Google Play in February. The original version used a similar interface and also demanded device administrator rights. However, it didn’t have any downloading functionality and, unlike the downloader analyzed in this article, the first version actually provided the user with real Minecraft mods.

Since the result of this evolution – a downloader – is able to download any sort of additional malware to the victim’s device, there is no reason to believe malware authors would stop at only displaying unwanted ads. Seeing they can lure thousands of users into installing their deceptive applications, more dangerous threats distributed under similar disguise might be the next logical step. 

Video capture from installation

Fake apps redirecting to scams

The remaining 73 of the detected applications use an old trick of redirecting users to scammy websites. The apps, detected by ESET as Android/FakeApp.FG, were added to Google Play between January and March 2017 and reached up to 910,000 installs before we reported them.

How does it operate?

Once launched, the apps display a screen with a download button. Clicking the button doesn’t download any mods; instead, it redirects the user to a website opened in a browser. The websites display all kinds of obtrusive content – ranging from ads, through surveys, free coupon offers, jackpot wins, porn, to fake updates and fake virus warnings attempting to scare the user. The messages are displayed to users in different languages based on their IP addresses.

Minecraft

Minecraft

Minecraft

How to protect yourself?

If you like to download mods for Minecraft, you might have come across one of these malicious fakes.

With the fake apps redirecting to scam websites, the effects are easy to recognize – the apps don’t work and you’ll see a random scam message upon clicking their fake download button.

In the case of the ad-displaying downloader, there is no functionality either and your device keeps displaying unwanted ads. However, as the downloader is capable of downloading any additional apps to infected devices, the payload responsible for the ads may be substituted by more dangerous malware in the future.

To make sure your device is malware-free, use a reputable mobile security solution to detect and remove the threats.

If you want to remove the threats manually, you can do so by following the steps below.

To clean your device of the ad-displaying downloader, you’ll first have to deactivate device administrator rights for both the app and the downloaded module found under Settings -> Security -> Device administrators, as shown in Fig. 8. Then you can uninstall the apps by going to Settings -> Application Manager.

With the scam app, uninstalling is one step easier – you can uninstall the app in Settings -> Application Manager.

To prevent being tricked by fake apps and malware, opt for official app markets. Even then, exercise extra caution when downloading third-party apps offering additional functions to existing applications, as there may be a “catch” in these attractive-sounding offers.

Before downloading, check the popularity of the app by number of installs, ratings and, most importantly, content of reviews. In the case of these apps, low ratings and angry reviews should have been a good enough indicator of their untrustworthiness.

Samples

Android/TrojanDownloader.Agent.JL: 

Package name Installs Hash
com.mermaid.mod.for.minecraft.mod 10,000 – 50,000 44D5834E7D287D5C663D494A6AD4ACF8517F9847
com.mod5.from.mcpe.mod 5,000 – 10,000 1501F9EAD8A14601C4C2FF50F56AB6C3D3AC768B
com.badgraftds.little.kelly.mod 1,000 – 5,000 168CBA98F6D0EABCBAA107C40EE66562B7CD5B99
com.mod.tntntjhh.pony.mcpe.mod 1,000 – 5,000 5BBC31B26FDA3CC7E1502AA9C2937EED6F2316E1
com.mod.cvcvv.mermaid.mod 1,000 – 5,000 F5B7D12D508E47642492C28DA1A2C51DD99CB0BB
com.wkrtjjt.little.yandere.mod 1,000 – 5,000 9541A6F0BD4A512C6DB174BCEBFFF8B480866158
com.lklljhmhg.little.carry.mod 500 – 1,000 5D4FE5B908D03B7E8C4E072EC1672DE7386796E5
com.mod.ffvbbn.backpack.mod 500 – 1,000 FC4EC301026080957D50213C1669990FE1DB283A
com.mod.efefe.oasis.werr.mod 100 – 500 B6FD16C0783CB01718DAE78117AA9199CB925C0B
com.mod.rmsl.battle.mcpe.mod 100 – 500 CF39574A3ECDC22170333D665EDBFD2248870180
com.mod.fdgf.little.girlfriend.mod 100 – 500 B4AF6AF0A78F36EB1EEB407D6392C940D4AE6BC3
com.mod.rttyu.undertale.mod 100 – 500 0C47A496A56AF3226FB3CE5EB09CB4F34FD0FE8B
com.retmff.mod.little.mcpe.mod 100 – 500 225C5590F1EB70C41AA2B5F18E282E6090643E93
com.jL7PtX.mod.little.Boyfriend.mod 100 – 500 00E4B4182EBA6AD39E0338FE67C5E921D75A63BD
app.webl.instal.com.webapp B305CE85D0972BD0EB805592275A420314972416

 

Android/FakeApp.FG:

Package name Installs Hash
forminecraft.school 50,000 – 100,000 3080E692ECC0BB8CE7007A438B8B4AF0BE796BBB
studio.mcpemods.starwarsforforminecraftpe 10,000 – 50,000 FC5C29A915CA8559DDD8704A38C050E38F7DEFAD
studio.mcpemods.mapbikinibottom 10,000 – 50,000 39BABDB2020A0B1D4B8E70A07FB3ECA730FA9EC8
devlabsolaris.maphelloneighborformcpe 10,000 – 50,000 AF89CAF6F8B5674746CFFD71EA59114034A50A0B
devlabsolaris.fnafmodforminecraft 10,000 – 50,000 0A5B5D6D1B4B5E2FFF56EAE8984D25C23F6B7326
su.artmik.gta5forminecraftpe 10,000 – 50,000 2C8A61902B42F9DD210D93818571ADF9D7FC4DC0
devlabsolaris.herobrinemodforminecraft 5,000 – 10,000 7A78030E4B2B295B3CEB897546390A7F4339B3F0
modsforminers.school 5,000 – 10,000 88471AA34BDF29A46BD362A8844B8C007B99E720
devlabsolaris.horsemodforminecraft 1,000 – 5,000 3EC7FA4660455933F100AEB35E1675834EC5E1DC
devlabsolaris.dragonsmodforminecraft 1,000 – 5,000 39D71C30E01C553B91E97FF08F8B78CA00F04CB0
devlabsolaris.pixelmonminecraftmod 1,000 – 5,000 816D1A232B7DD39EA6877FC2004BAA9EFFF174A1
devlabsolaris.luckyblockmodforminecraft 1,000 – 5,000 FEDD3602EAF5111B8A41FE1F093B6B75F5B9FB7D
devlabsolaris.superherominecraftmod 1,000 – 5,000 C3702B121A9CA3B93E63D0E8A15575A169C0E7F9
devlabsolaris.tornadomodforminecraft 1,000 – 5,000 9A97415E1D405B50087DE7E34213A1F40D58C33C
devlabsolaris.gtamodforminecraft 1,000 – 5,000 ECD5EFACD13CCBDBF58B5F8B212511F7B12E9941
devlabsolaris.backpackmodforminecraft 1,000 – 5,000 8F9EDD079E1FE5D2C48DE5B9A9994E2D39C8B663
devlabsolaris.weaponsmodforminecraft 100 – 500 7F78C100C47B3130929F45B013B119656B2B0135
devlabsolaris.swordsmodforminecraft 100 – 500 23AE258960B46659EEF4C34021B1CE92EF9AA670

by Lukas Stefanko, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s