The history of international cyber conflict is remarkably long and storied. The timeline of major cyber threat events stretches back nearly four decades, but it is really only the last decade that has seen the widespread proliferation of national cyber forces. As of 2007, only 10 countries had operational cyber commands, three of which were members of the NATO alliance. Just eight years later, that figure jumped to 61 nations, a full two-thirds of which were outside of the NATO alliance. Clearly, national governments have become more willing to see cybersecurity as a key responsibility. States are also cooperating and sharing the burden of securing cyberspace.
Monthly Archives: April 2023
Google Goes After CryptBot Distributors
HiddenAds Spread via Android Gaming Apps on Google Play
Authored by Dexter Shin
Minecraft is a popular video game that can be played on a desktop or mobile. This is a sandbox game developed by Mojang Studios. Players create and break apart various kinds of blocks in 3-dimensional worlds and they can select to enjoy Survivor Mode to survive in the wild or Creative Mode to focus on being creative.
Minecraft’s popularity has led to many attempts to recreate similar games. As a result, there are so many games with the same concept as Minecraft worldwide. Even on Google Play, we can easily search for similar games. McAfee Mobile Research Team recently discovered 38 games with hidden advertising. These HiddenAds applications discovered on the Google Play Store and installed by at least 35 million users worldwide, have been found to send packets stealthily for advertising revenue in bulk.
McAfee, a member of the App Defense Alliance, focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices, and McAfee Mobile Security detects this threat as Android/HiddenAds.BJL. For more information, and to get fully protected, visit McAfee Mobile Security.
How is it distributed to users?
They were officially uploaded to Google Play under various titles and package names. Many games have already been downloaded by users, including apps with 10M+ downloads.
Figure 1. 10M+ downloaded app being one of them
Also, because they can play the game, users can’t notice the large amount of advertising packets being generated on their devices.
Figure 2. Game screen that can be played
What does it do?
After the game is running, the user can play without any problems in the block-based world, only like Minecraft-type games. However, advertisement packets of various domains continuously occur on the device. For example, the four packets shown in the picture are questionable packets generated by the ads libraries of Unity, Supersonic, Google, and AppLovin. Unfortunately, nothing is displayed on the game screen.
Figure 3. Continuous advertising packets
What’s even more interesting is the initial network packets of these games. The structure of the initial packet is very similar. All domains are different. But using 3.txt as the path is equivalent. That is, packets in the form of https://(random).netlify.app/3.txt commonly occur first. The picture below is an example of the first packet extracted from three different apps.
Figure 4. Similarity of the initial packet form
Users affected worldwide
This threat has been detected in various countries around the world. Indicated by our telemetry, the threat has been most prominently detected in the United States, Canada, South Korea, and Brazil.
Figure 5. Users around the world who are widely affected
As we featured in the McAfee 2023 Consumer Mobile Threat Report, one of the most accessible content for young people using mobile devices is games. Malware authors are also aware of this and try to hide their malicious features inside games. Not only is it difficult for general users to find these hidden features, but they can easily trust games from official stores such as Google Play.
We first recommend that users thoroughly review user reviews before downloading applications from the store. And users should install security software on their devices and always keep up to date.
Indicators of Compromise
Package Name
Application Name
SHA256
GooglePlay
Downloads
com.good.robo.game.builder.craft.block
Block Box Master Diamond
300343e701afddbf32bca62916fd717f2af6e8a98fd78cc50d11f1154971d857
10M+
com.craft.world.fairy.fun.everyday.block
Craft Sword Mini Fun
72fa914ad3460f9e696ca2264fc899cad20b06b640a7adf8cfe87dd0ea19e137
5M+
com.skyland.pet.realm.block.rain.craft
Block Box Skyland Sword
d15713467be2f60b2bc548ddb24f202eb64f2aed3fb8801daec14e708f5cee5b
5M+
com.skyland.fun.block.game.monster.craft
Craft Monster Crazy Sword
cadbc904e77feaaf4294d218808f43d50809a87202292e78b0e6a3e164de6851
5M+
com.monster.craft.block.fun.robo.fairy
Block Pro Forrest Diamond
08429992bef8259e3011af36ad9d3c2a61b8df384860fd2a007a32a1e4d634af
1M+
com.cliffs.realm.block.craft.rain.vip
Block Game Skyland Forrest
34ef407f2bedfd8485f6a178f14ee023d395cb9b76ff1754e8733c1fc9ce01fb
1M+
com.block.builder.build.clever.craft.boy
Block Rainbow Sword Dragon
23aa3cc9481591b524a442fa8df485226e21da9d960dc5792af4ae2a096593d5
1M+
com.fun.skyland.craft.block.monster.loki
Craft Rainbow Mini Builder
88fa7de264c5880e65b926df4f75ac6a2900e3718d9d3576207614e20f674068
1M+
com.skyland.craft.caves.game.monster.block
Block Forrest Tree Crazy
010c081e5fda58d6508980528efb4f75e572d564ca9b5273db58193c59987abf
1M+
com.box.block.craft.builder.cliffs.build
Craft Clever Monster Castle
11c5e2124e47380d5a4033c08b2a137612a838bc46f720fba2a8fe75d0cf4224
500K+
com.block.sun.game.box.build.craft
Block Monster Diamond Dragon
19ad0dc40772d29f7f39b3a185abe50d0917cacf5f7bdc577839b541f61f7ac0
500K+
com.builder.craft.diamond.block.clever.robo
Craft World Fun Robo
746e2f552fda2e2e9966fecf6735ebd5a104296cde7208754e9b80236d13e853
500K+
com.block.master.boy.craft.cliffs.diamond
Block Pixelart Tree Pro
25b22e14f0bb79fc6b9994faec984501d0a2bf5573835d411eb8a721a8c2e397
500K+
com.fun.block.everyday.boy.robo.craft
Craft Mini Lucky Fun
9fdddf4a77909fd1d302c8f39912a41483634db66d30f89f75b19739eb8471ff
500K+
com.builder.craft.block.sun.game.mini
Block Earth Skyland World
b9284db049c0b641a6b760e7716eb3561e1b6b1f11df8048e9736eb286c2beed
500K+
com.dragon.craft.world.pixelart.block.vip
Block Rainbow Monster Castle
d6984e08465f08e9e39a0cad8da4c1e405b3aa414608a6d0eaa5409e7ed8eac1
500K+
com.craft.vip.earth.everyday.block.game
Block Fun Rainbow Builder
f3077681623d9ce32dc6a9cbf5d6ab7041297bf2a07c02ee327c730e41927c5f
500K+
com.block.good.mini.craft.box.best
Craft Dragon Diamond Robo
e685fb5a426fe587c3302bbd249f8aa9e152c1de9b170133dfb492ed5552acc9
500K+
com.lucky.robo.craft.loki.block.good
Block World Tree Monster
06c3ba10604c38006fd34406edd47373074d57c237c880a19fb8d3f34572417d
100K+
com.caves.robo.craft.dragon.block.earth
Block Diamond Boy Pro
122406962c303eaeb9839d767835a82ae9d745988deeef4c554e1750a5106cf0
100K+
com.tree.world.city.block.craft.crazy
Block Lucky Master Earth
e69fe06cb77626be76f2c92ad4229f6eb04c06c73e153d5424386a1309adbd15
100K+
com.game.skyland.craft.monster.block.best
Craft Forrest Mini Fun
e5fc2e6e3749cb4787a8bc5387ebb7802a2d3f9b408e4d2d07ee800056bb3e16
100K+
com.everyday.vip.caves.house.block.craft
Craft Sword City Pro
318165fd8d77a63ca221f5d3ee163e6f2d6df1f2df5c169aca6aca23aef2cf25
100K+
com.cell.rain.block.craft.loki.fairy
Block Loki Monster Builder
4f22be2ce64376f046ca180bd9933edcd62fd36f4a7abc39edf194f7170e2534
100K+
com.block.good.sun.boy.craft.fun
Block Boy Earth Mini
3b0cf56fb5929d23415259b718af15118c44cf918324cc62c1134bf9bc0f2a00
100K+
com.fairy.builder.sun.skyland.craft.block
Block Crazy Builder City
537638903f31e32612bddc79a483cb2c7546966cca64c5becec91d6fc4835e22
100K+
com.monster.house.good.block.earth.craft
Craft Sword Vip Pixelart
5f85f020eb8afc768e56167a6d1b75b6d416ecb1ec335d4c1edb6de8f93a3cad
100K+
com.block.best.boy.craft.sword.cell
Block City Fun Diamond
698544a913cfa5df0b2bb5d818cc0394c653c9884502a84b9dec979f8850b1e7
100K+
com.crazy.clever.city.block.caves.craft
Craft City Loki Rainbow
ba50dc2d2aeef9220ab5ff8699827bf68bc06caeef1d24cb8d02d00025fcb41c
100K+
com.cliffs.builder.craft.block.lucky.earth
Craft Boy Clever Sun
77962047b32a44c472b89d9641d7783a3e72c156b60eaaec74df725ffdc4671b
100K+
com.lucky.best.block.game.diamond.craft
Block City Dragon Sun
ac3d0b79903b1e63b449b64276075b337b002bb9a9a9636a47fdd1fb7a0fe368
100K+
com.build.craft.boy.loki.master.block
Craft Loki Forrest Monster
a2db1eba73d911142134ee127897d5857c521135a8ee768ae172ae2d2ee7b1d4
100K+
com.build.lokicrafts.master.forest
Lokicraft: Forrest Survival 3D
0f53996f5e3ec593ed09e55baf1f93d32d891f7d7e58a9bf19594b235d3a8a84
50K+
com.sun.realm.craft.lucky.dragon.block
Craft Castle Sun Rain
1e74e73bc29ce1f55740e52250506447b431eb8a4c20dfc75fd118b05ca18674
50K+
com.block.craft.vip.sun.game.box
Craft Game Earth World
7483b6a493c0f4f6309e21cc553f112da191b882f96a87bce8d0f54328ac7525
50K+
com.rain.crazy.lucky.pro.block.craft
Craft Lucky Castle Builder
de5eb8284ed56e91e665d13be459b9a0708fa96549a57e81aa7c11388ebfa535
50K+
com.JavaKidz.attacksnake
Craftsman: Building City 2022
e19fcc55ec4729d52dc0f732da02dc5830a2f78ec2b1f37969ee3c7fe16ddb37
50K+
com.skyland.house.block.craft.crazy.vip
Craft Rainbow Pro Rain
a7675a08a0b960f042a02710def8dd445d9109ca9da795aed8e69a79e014b46f
50K+
The post HiddenAds Spread via Android Gaming Apps on Google Play appeared first on McAfee Blog.
#RSAC: Experts Urge Applying Lessons Learned from Russia-Ukraine Cyberwar to Potential China-Taiwan Scenario
As tensions rise between China and Taiwan, US Government officials are keen to implement lessons learned from Ukraine’s cyberwar
Smashing Security podcast #319: The CEO who also ran IT, Strava strife, and TikTok tall tales
A boss is bitten in the bottom after being struck by one of the worst crimes in Finnish history, Strava’s privacy isn’t so private, and a private investigator uncovers some TikTok tall tales. All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham … Continue reading “Smashing Security podcast #319: The CEO who also ran IT, Strava strife, and TikTok tall tales”
#RSAC: Pro Sports Grapple with Convergence of Cyber and Physical Security Challenges
CISOs from the NBA, NFL and NHL discuss their close cooperation to mitigate the unique cyber risks they experience
Iranian cyberspies deploy new malware implant on Microsoft Exchange Servers
A cyberespionage group believed to be associated with the Iranian government has been infecting Microsoft Exchange Servers with a new malware implant dubbed BellaCiao that acts as a dropper for additional payloads. The malware uses DNS queries to receive commands from attackers encoded into IP addresses.
According to researchers from Bitdefender, the attackers appear to customize their attacks for each particular victim including the malware binary, which contains hardcoded information such as company name, custom subdomains and IP addresses. Debugging information and file paths from compilation that were left inside the executable suggest the attackers are organizing their victims into folders by country code, such as IL (Israel), TR (Turkey), AT (Austria), IN (India), or IT (Italy).
CVE-2020-36070
Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component.
USN-6042-1: Cloud-init vulnerability
James Glovich discovered that sensitive data could be exposed in logs. An
attacker could use this information to find hashed passwords and possibly
escalate their privilege.
USN-6017-2: Ghostscript vulnerability
USN-6017-1 fixed vulnerabilities in Ghostscript. This update provides the
corresponding updates for Ubuntu 23.04.
Original advisory details:
Hadrien Perrineau discovered that Ghostscript incorrectly handled certain
inputs. An attacker could possibly use this issue to cause a denial of
service, or possibly execute arbitrary code.