Scammers have latched on to the hugely popular Minecraft game to push what appear to be Android 'cheat' apps that are in fact designed to scare users into paying to rid their devices of non-existent malware, security firm ESET has discovered.
Discovered on Google's Play, it's a tactic that has at various times been hugely popular on Windows computers but it still disappointing that Google's automated rogue app scanner missed these apps on at least 30 occasions in the last nine months.
According to ESET, the first app appeared last August, since when they have been downloaded somewhere between 600,000 and 2.8 million times. The apps always use icons that resemble Minecraft's look and feel and the lure is that users will be able to mod or beat the game.
Given the name FakeApp.AL, anyone infected by them will encounter adware to start with after which an alert is thrown up warning of a 'virus' and offering to clean the device by sending an activation SMS. Lacking admin rights, the app must trick the user into sending this manually at a recurrent cost of Euro 4.80 (£3.42) per week.
The bogus apps even redirects to websites impersonating security firm G Data, ESET said.
"The damage that this recent Android malware discovery can inflict is perhaps less acute when compared to the file-encrypting Android/Simplocker but the seriousness of this threat lies in the fact that it may have been downloaded by almost three million users from the official Google Play store," said ESET researcher, Lukas Stefanko.
In this case, the usual advice of never downloading Android apps from third party sites doesn't apply because the software was sitting on Play.
As Stefanko points out, earlier this year Google announced that it started vetting apps using in-house experts sitting at monitors to complement its automated Bouncer system. While this checking has greatly improved matters compared to the old days when Play was full of dubious apps it can cleary still be bypassed far too easily.
Sign up for Computerworld eNewsletters.