Malicious Android apps have a habit of sneaking their way into the Google Play store without getting caught by the usual security protections. One tactic that often seems to work is to impersonate a legitimate app with the real intent effectively obfuscated. A collection of more than 20 apps found by security firm Kaspersky on Google Play pretended to be Minecraft mods but were actually adware. In a blog post published on Monday, Kaspersky identifies the apps and offers advice to anyone who may have installed one.
SEE: Mobile device security: A guide for business leaders (TechRepublic Premium)
Released in 2009, Minecraft has proven a hot commodity, not just among gamers but among teachers, architects, and urban planners who use the program to help design public places. That’s why the app is ripe for exploitation by cybercriminals who target their campaigns against adults, teens, and children.
Detected by Kaspersky since July of this year, the more than 20 nasty apps all worked in a decidedly devious manner. After installation, the alleged Minecraft modpack doesn’t actually load any mods; in fact, it doesn’t do much of anything, according to the security firm. After the app is closed, it then disappears from the smartphone’s home screen and menus.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
However, the app actually remains installed on the smartphone to do its dirty work, specifically displaying ads. One of the apps analyzed by Kaspersky automatically opened a browser window with ads every two minutes, naturally interfering with the normal use of the phone. Further, the apps could even open Google Play and Facebook or play YouTube videos, actions that varied based on orders from the Command & Control server run by the criminals behind this campaign.
On the low end, some of the apps picked up little more than 500 installations. But on the high end, the most popular ones grabbed more than 1 million downloads. Although the apps claimed different publishers, the descriptions on two of them were virtually the same, even with the same typos.
The reviews of the apps were one tipoff as to their nefarious goal since the ratings were all over the place. Most of the scores were either 5s or 1s, a range that points to botnets leaving great reviews but regular human users giving the apps a severe thumbs-down. However, as Kaspersky points out, the attackers behind this one were specifically targeting kids and teens, who may not pay the necessary attention to the ratings and reviews.
After its discovery, Kaspersky alerted Google, which has since removed the malicious apps from Google Play. However, the apps will still persist on the phones of anyone who downloaded them. Plus, the creators may try to get their apps back in Google Play by tweaking them and publishing them under different accounts.
SEE: Android 11: New features for business users (free PDF) (TechRepublic)
Without knowing the cause of the recurring and annoying ads, users would likely have a difficult time trying to resolve the issue. Uninstalling and reinstalling the browser won’t fix the trouble. Neither would adjusting the browser settings. The only way to eliminate the problem is to remove the offending app, though that can be tricky, according to Kaspersky.
You first have to identify the app and then you need to find it. To locate it, go to Settings and then Apps and notifications and then Show all apps. Delete the identified app. Any of the malicious apps are completely removed this way and won’t try to restore themselves.