Malware in Games.Through research carried out by Avast, all 47 games that were part of this attack were found to contain code that violated Google Play’s spam and advertising policies . The vast majority had been published under different developer profiles so as not to arouse suspicion, and had been present in the Google Play Store since the beginning of May.
According to the researchers, to carry out this attack campaign, the games would have been published on Google Play hiding their true purpose , or by introducing the malicious code through incremental updates that would arrive once users had already installed the games on their devices. From that moment on, intrusive ads that were difficult to remove began to appear , in addition to hiding the application icon and making it difficult to uninstall. In the table below these lines, it is possible to see some of the games infected with malicious code, which were removed from Google Play after the warning by the researchers:
App name | downloads |
Draw Color by Number | 1,000,000 |
Skate Board – New | 1,000,000 |
Find Hidden Differences | 1,000,000 |
Shoot Master | 1,000,000 |
Spot Hidden Differences | 500,000 |
Dancing Run – Color Ball Run | 500,000 |
Find 5 Differences | 500,000 |
Joy woodworker | 500,000 |
Throw Master | 500,000 |
Throw into Space | 500,000 |
Divide it – Cut & Slice Game | 500,000 |
Tony Shoot – NEW | 500,000 |
Assassin legend | 500,000 |
Stacking Guys | 500,000 |
Save your boy | 500,000 |
Assassin Hunter 2020 | 500,000 |
Stealing Run | 500,000 |
Fly Skater 2020 | 500,000 |
Disc Go! | 500,000 |
By studying the operation of the malware , it was discovered how some of the apps did serve their purpose , giving users the ability to play the first levels . To do this, once the app was installed, a ten-minute counter was started that allowed the user to play during that time before carrying out their malicious tasks. In case of keeping the mobile unlocked, the counter would be reset to allow the user to continue playing and not raise suspicions.
Once the necessary circumstances were in place to allow the game to carry out its true mission, firstly , the main activity of the game was deactivated , eliminating the icon from the application drawer. From that moment on, intrusive ads began to be displayed in full screen, as well as in banners and notifications .
After a first warning, Google was able to remove 30 of the malicious apps from the Google Play Store. Later, the rest of the apps involved in this campaign were eliminated. From Avast, they offer us a sheet with all the games infected by this Trojan.