Threat Research

HiddenAds Spread via Android Gaming Apps on Google Play | McAfee Blog

McAfee

McAfee Mobile Research identified 38 Android games on Google Play embedding a HiddenAds component that silently generates large volumes of advertising network traffic while the games run. McAfee reported the findings to Google (apps removed) and detects the threat as Android/HiddenAds.BJL. #HiddenAds #AndroidHiddenAdsBJL #GooglePlay

Keypoints

  • Researchers found 38 Minecraft‑style Android games on Google Play containing hidden ad‑generation behavior, installed by tens of millions of users.
  • Apps were published under many different package names and titles, including apps with 10M+ downloads, making the threat widely distributed.
  • At runtime the apps generate continuous advertising network packets from multiple ad libraries (Unity, Supersonic, Google, AppLovin) without showing visible ads to users.
  • The initial network request across samples shares a common structure, frequently calling a path like /3.txt on random netlify.app subdomains.
  • McAfee reported the apps to Google; affected apps were removed from Google Play and McAfee labels the threat Android/HiddenAds.BJL.
  • A detailed table of IOCs (package names and SHA256 hashes) was published to help detection and remediation.

MITRE Techniques

  • [T1036] Masquerading – The apps were published under many different package names and titles to disguise their intent. Quote: ‘[published under many different package names and titles, including apps with 10M+ downloads]’.
  • [T1071.001] Web Protocols – The malware uses web-based channels to communicate with remote servers; the initial network requests include the common pattern ‘https://(random).netlify.app/3.txt’ across samples. Quote: ‘[initial network request pattern – https://(random).netlify.app/3.txt (common first-contact path used across samples)]’.

Indicators of Compromise

  • [Package Name] apps uploaded to Google Play – com.good.robo.game.builder.craft.block, com.craft.world.fairy.fun.everyday.block, and 36 more package names
  • [SHA256] APK hashes published for detection – 300343e701afddbf32bca62916fd717f2af6e8a98fd78cc50d11f1154971d857, 72fa914ad3460f9e696ca2264fc899cad20b06b640a7adf8cfe87dd0ea19e137, and 36 more hashes
  • [Domain/URL] initial network request pattern – https://(random).netlify.app/3.txt (common first‑contact path used across samples)
  • [Ad libraries / domains] sources of continuous ad traffic – ad libraries from Unity, Supersonic, Google, AppLovin observed generating background packets
  • [Application Name] visible titles on Google Play – Block Box Master Diamond, Craft Sword Mini Fun, and many other Minecraft‑style game names

Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hiddenads-spread-via-android-gaming-apps-on-google-play/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint