Full Report
Authored by Dexter Shin Minecraft is a popular video game that can be played on a desktop or mobile. This... The post HiddenAds Spread via Android Gaming Apps on Google Play appeared first on McAfee Blog.
Analysis Summary
# Tool/Technique: HiddenAds (Android Ad Fraud Malware)
## Overview
HiddenAds refers to a family of malicious applications discovered on the Google Play Store, disguised as popular Minecraft-like gaming apps. Their primary purpose is to generate advertising revenue stealthily on the victims' devices by sending continuous, unauthorized advertising packets while allowing the user to play the concealed game.
## Technical Details
- Type: Malware family (Ad Fraud/Adware)
- Platform: Android
- Capabilities: Stealthily sends advertising packets, masks malicious activity behind functional-looking games, utilizes common advertising libraries (Unity, Supersonic, Google, AppLovin).
- First Seen: Discovered and reported around April 26, 2023.
## MITRE ATT&CK Mapping
* **TA0011 - Command and Control**
* T1071 - Application Layer Protocol
* T1071.001 - Web Protocols (Used for sending advertising packets)
## Functionality
### Core Capabilities
- **Distribution:** Officially uploaded to Google Play under various, deceptive titles and package names mimicking popular sandbox/crafting games.
- **User Deception:** Allows users to play the legitimate-looking game (like Minecraft) without interruption, masking the underlying malicious activity.
- **Monetization:** Continuously sends advertising packets across various domains to generate revenue, even when the ads are not visually displayed on the screen.
### Advanced Features
- **Standardized Initial Communication:** Exhibits a highly similar structure for initial network packets across different variants, often using the path `/3.txt` (e.g., `https://(random).netlify.app/3.txt`).
- **Third-Party Ad Library Abuse:** Leverages or abuses legitimate advertising libraries (Unity, Supersonic, Google, AppLovin) to facilitate the packet generation.
## Indicators of Compromise
- File Hashes: (Specific SHA256 examples provided in the context):
- `300343e701afddbf32bca62916fd717f2af6e8a98fd78cc50d11f1154971d857`
- `72fa914ad3460f9e696ca2264fc899cad20b06b640a7adf8cfe87dd0ea19e137`
- `d15713467be2f60b2bc548ddb24f202eb64f2aed3fb8801daec14e708f5cee5b`
- (And 13 other SHA256 hashes listed in the full context)
- File Names: Variable, dependent on the game package name.
- Registry Keys: N/A (Mobile Android context).
- Network Indicators: Continuous advertising packets to various domains (likely belonging to ad networks); initial connections often target domains structured like `https://(random).netlify.app/3.txt`.
- Behavioral Indicators: High volume of outbound network traffic related to advertising requests originating from the gaming application process.
## Associated Threat Actors
- Generic malware authors targeting mobile users/gaming communities to generate illicit ad revenue. McAfee labels the detection signature as **Android/HiddenAds.BJL**.
## Detection Methods
- Signature-based detection: McAfee Mobile Security detects this as `Android/HiddenAds.BJL`.
- Behavioral detection: Monitoring for high volumes of background network communication related to advertising components when no visual ads are present.
- YARA rules: Not explicitly mentioned, but custom rules could target the specific initialization packet structure (`/3.txt`).
## Mitigation Strategies
- Prevention: Users should thoroughly review user reviews before downloading applications from official stores.
- Hardening: Install and maintain security software (e.g., McAfee Mobile Security) on devices.
- General Defense: Ensure Google Play Protect is active, as it can warn users about identified malicious apps.
## Related Tools/Techniques
- Other financially motivated malware distributed via legitimate application stores.
- Malicious applications leveraging embedded, non-displaying advertising libraries common in the Android ecosystem.