Fake Minecraft Modpacks on Google Play deliver millions of abusive ads and make normal phone use impossible.

Scammers are taking advantage of the Minecraft sandbox video game’s wild success by developing Google Play apps which appear to be Minecraft modpacks, but instead deliver abusive ads, according to researchers.

Since July, Kaspersky researchers have found more than 20 of these apps and determined that they have been downloaded on more than a million Android devices.

Minecraft is a problem-solving game aimed at kids and teens where players create their own worlds. Its original version, called Java Edition, was first released by Mojang Studios in 2009. The skills players build playing Minecraft have been touted by parents and educators as beneficial for kids, which has likely contributed to the game’s success. According to PC Games, more than 200 million copies of Minecraft were sold as of May.

Because Minecraft was designed in Java, it was easy for third-party developers to create compatible applications or “modpacks” to enhance and customize the gaming experience for players. Gamepedia said that today, there are more than 15,000 modpacks for Minecraft available.

Among those 15,000 Minecraft mods lurk at least 20 that Kaspersky researchers were able to identify as malicious. Google Play has removed all but five of the malicious titles, Kaspersky said: Zone Modding Minecraft, Textures for Minecraft ACPE, Seeded for Minecraft ACPE, Mods for Minecraft ACPE and Darcy Minecraft Mod are still up and available.

Google has not responded to Threatpost’s request for comment.

Malicious Modpacks

Of the list of 20 malicious mods, the most popular had more than 1 million installs. Even the least popular was downloaded 500 times, the report said.

Once the modpack malware is installed on the Android device, it only allows itself to be opened once, according to Kaspersky. And once opened, the app is glitchy and useless — exactly how it’s intended to work.

, ‘Minecraft Mods’ Attack More Than 1 Million Android Devices

Fake app ratings. Source: Kaspersky.

“The frustrated user closes the app, which promptly vanishes. More precisely, its icon disappears from the smartphone’s menu,” the report said. “Because the ‘modpack’ seemed glitchy from the start, most users, especially kids and teens, won’t waste time looking for it.”

Forgotten, the app still runs in the background, working overtime to deliver ads.

“The sample we examined automatically opened a browser window with ads every two minutes, greatly interfering with normal smartphone use,” the report continued. “In addition to the browser, the apps can open Google Play and Facebook or play YouTube videos, depending on the [command-and-control] server’s orders. Whatever the case, the constant stream of full-screen ads makes the phone practically unusable.”

Getting Rid of Mod Malware

Researchers said reinstalling the browser or messing with the settings would be the next likely troubleshoot, but that won’t get rid of the malware either. First the user needs to identify the malicious app. The device will display a full list of apps under settings, (Settings → Apps and notifications → Show all apps). Delete the app from this list and the malware should be gone.

“Fortunately, the misbehaving modpacks get removed entirely with deletion and do not try to restore themselves.”

Signs of Malicious Apps

Avoiding malicious apps can be easier if parents and kids know where to look. For instance, Kaspersky researchers pointed out that although two of the malicious modpacks have different publishers, the descriptions are identical, “down to the typos.”

The app ratings also offer a clue something is fishy. Kaspersky pointed out that the average rating was in the three-star neighborhood, but that’s because there were extreme reviews on either end of the spectrum, one-star or five-stars.

“That kind of spread suggests that bots are leaving rave reviews, but real users are very unhappy,” the report added. “Unfortunately, in this case, the cybercriminals are targeting kids and teenagers, who may not pay attention to ratings and reviews before installing an app.”

Popular kids games have been attracting the attention of scammers in general over the past few months.

Minecraft players were also targeted on Google Play earlier this month by fraudsters offering premium skins, mods and wallpapers under a free “trial period,” which quickly ends and starts racking up charges on the victims’ phone bills.

The same week, the company behind the popular kids’ game Animal Jam announced a breach of a third-party server that exposed more than 46 million account records, which were then put up for sale on the dark web.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.