{
	"id": "6b005cf8-9920-4e2a-9efa-afb14d676b2c",
	"created_at": "2026-04-06T00:12:59.713202Z",
	"updated_at": "2026-04-10T03:30:32.760785Z",
	"deleted_at": null,
	"sha1_hash": "4110152f846335e04e2288611d2f082b19cbeffa",
	"title": "Malware Displaying Porn Ads Discovered in Game Apps on Google Play",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75570,
	"plain_text": "Malware Displaying Porn Ads Discovered in Game Apps on Google\r\nPlay\r\nBy deugenio\r\nPublished: 2018-01-12 · Archived: 2026-04-05 23:40:14 UTC\r\nResearch By: Elena Root \u0026 Bogdan Melnykov\r\nCheck Point Researchers have revealed a new and nasty malicious code on Google Play Store that hides itself\r\ninside around 60 game apps, several of which are intended to be used by children. According to Google Play’s\r\ndata, the apps has so far been downloaded between 3 million and 7 million times.\r\nHow It Works\r\nDubbed ‘AdultSwine’, these malicious apps wreak havoc in three possible ways:\r\n1. Displaying ads from the web that are often highly inappropriate and pornographic.\r\n2. Attempting to trick users into installing fake ‘security apps’.\r\n3. Inducing users to register to premium services at the user’s expense.\r\nApart from these current three main activities, the malicious code can use its infrastructure to broaden its goals to\r\nother purposes, such as credential theft.\r\nhttps://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/\r\nPage 1 of 8\n\nFigure 1: AdultSwine operation flow\r\nOnce the malicious app is installed on the device, it waits for a boot to occur or for a user to unlock his screen,\r\nupon which it initiates its malicious activity.\r\nIllegitimate and Inappropriate Ads\r\nFirst, the malicious code contacts its Command and Control server (C\u0026C) to report the successful installation,\r\nsends data about the infected device and then receives the configurations, which determine its course of operation.\r\nThese configurations instruct it on whether to hide its icon (to encumber removal), which ads to display, over\r\nwhich apps and on what terms. It is interesting to note that the server however forbids ads to be displayed over\r\ncertain apps such as browsers and social networks, in order to avoid suspicion.\r\nThe malicious code then verifies certain conditions regarding the device’s status and checks which app is currently\r\nrunning on screen. Once all its terms are met, it  begins to display the illegitimate ads outside of the app’s context.\r\nIf it is embedded inside a web browser app the ads will be displayed inside that browser, if not they will be\r\ndisplayed inside a designated web view.\r\nAs for the ads being displayed, they come from two main sources; the first is that of the main ad providers, which\r\nforbid such illegitimate display of their ads. The second is the malicious code’s own ad library, which contains ads\r\nof an offensive nature, including pornographic ads. All these are displayed to children while playing the game that\r\nthe app is masquerading as.\r\nBelow is a mild example of the ads presented and a comment from one of the victims, whose son had an\r\nunfortunate experience.\r\nhttps://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/\r\nPage 2 of 8\n\nFigure 2: Examples of ad displayed and user reviews on Google Play\r\nScareware – Deceptive App Install Tactics\r\nAnother course of action the malicious app pursues is scaring users into installing unnecessary and even harmful\r\n“security” apps.\r\nFirst, the malicious app displays an ad that claims the user’s device is infected by a virus. Should the user press\r\nthe notification of “Remove Virus Now” he is redirected to an app in the Google Play Store with a somewhat\r\nquestionable connection to virus removal. An experienced eye could easily foresee this tactic, though a child\r\nplaying a game app is easy prey for such nefarious apps.\r\nFigure 3 – Left image: Scareware Ad Displayed\r\nCentre image: The redirect ‘anti-virus’ app in Google Play.\r\nRight image: User reviews in Google Play\r\nRegistering To Premium Services\r\nAnother technique used by the malicious app is registering to premium services and charging the victim’s account\r\nfor fraudulent premium services they did not request to send or receive. In a similar way to the scareware tactic\r\nseen above, the malicious app initially displays a pop-up ad, which attempts to persuade the user to click through.\r\nhttps://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/\r\nPage 3 of 8\n\nThis time however, the ad claims that the user is entitled to win an iPhone by simply answering four short\r\nquestions. Should the user answer them, the malicious code informs the user that he has been successful, and asks\r\nhim to enter his phone number to receive the prize. Once entered, the malicious code then uses this number to\r\nregister to premium services.\r\nThe flow is presented in the images below.\r\n \r\n                                     Notification of Winning the iPhone            Request to Enter Phone Number\r\nA Comprehensive Threat\r\nAlthough for now this malicious app seems to be a nasty nuisance, and most certainly damaging on both an\r\nemotional and financial level, it nevertheless also has a potentially much wider range of malicious activities that it\r\ncan pursue, all relying on the same common concept.\r\nThe malicious code simply receives a target link from its Command and Control server and displays it to the user.\r\nWhile in some cases this link is merely an advertisement, it could also lead to whatever social engineering scheme\r\nthe hacker has in mind.\r\nIndeed, these plots continue to be effective even today, especially when they originate in apps downloaded from\r\ntrusted sources such as Google Play.\r\nAppendix 1 – List of App Names\r\nApp Name Minimum Downloads Maximum Downloads\r\nhttps://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/\r\nPage 4 of 8\n\nFive Nights Survival Craft 1,000,000 5,000,000\r\nMcqueen Car Racing Game 500,000 1,000,000\r\nAddon Pixelmon for MCPE 500,000 1,000,000\r\nCoolCraft PE 100,000 500,000\r\nExploration Pro WorldCraft 100,000 500,000\r\nDraw Kawaii 100,000 500,000\r\nSan Andreas City Craft 100,000 500,000\r\nSubway Banana Run Surf 100,000 500,000\r\nExploration Lite : Wintercraft 100,000 500,000\r\nAddon GTA for Minecraft PE 100,000 500,000\r\nAddon Sponge Bob for MCPE 100,000 500,000\r\nDrawing Lessons Angry Birds 50,000 100,000\r\nTemple Crash Jungle Bandicoot 50,000 100,000\r\nDrawing Lessons Lego Star Wars 50,000 100,000\r\nDrawing Lessons Chibi 50,000 100,000\r\nGirls Exploration Lite 10,000 50,000\r\nDrawing Lessons Subway Surfers 10,000 50,000\r\nPaw Puppy Run Subway Surf 10,000 50,000\r\nFlash Slither Skin IO 10,000 50,000\r\nInvisible Slither Skin IO 10,000 50,000\r\nDrawing Lessons Lego Ninjago 10,000 50,000\r\nDrawing Lessons Lego Chima 5,000 10,000\r\nTemple Bandicoot Jungle Run 1,000 5,000\r\nBlockcraft 3D 1,000 5,000\r\nJungle Survival Craft 1.0 1,000 5,000\r\nEasy Draw Octonauts 1,000 5,000\r\nhalloweenskinsforminecraft 1,000 5,000\r\nhttps://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/\r\nPage 5 of 8\n\nskinsyoutubersmineworld 1,000 5,000\r\nyoutubersskins 1,000 5,000\r\nDiadelosMuertos 500 1,000\r\nDraw X-Men 500 1,000\r\nMoviesskinsforminecraft 500 1,000\r\nVirtual Family – Baby Craft 500 1,000\r\nMine Craft Slither Skin IO 500 1,000\r\nGuide Clash IO 100 500\r\nInvisible Skin for Slither IO app 100 500\r\nZombie Island Craft Survival 100 500\r\nHalloweenMakeUp 100 500\r\nThanksgivingDay 100 500\r\nThanksgivingDay2 100 500\r\nJurassic Survival Craft Game 100 500\r\nPlayers Unknown Battle Ground 100 500\r\nSubway Bendy Ink Machine Game 100 500\r\nShin Hero Boy Adventure Game 100 500\r\nTemple Runner Castle Rush 100 500\r\nDragon Shell for Super Slither 100 500\r\nFlash Skin for Slither IO app 50 100\r\nAnimePictures 50 100\r\nPixel Survival – Zombie Apocalypse 50 100\r\nFire Skin for Slither IO app 10 50\r\nSan Andreas Gangster Crime 10 50\r\nfidgetspinnerforminecraft 10 50\r\nStickman Fighter 2018 10 50\r\nSubway Run Surf 10 50\r\nhttps://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/\r\nPage 6 of 8\n\nGuide Vikings Hunters 10 50\r\nWoody Pecker 10 50\r\nPack of Super Skins for Slither 10 50\r\nSpinner Toy for Slither 10 50\r\nHow to Draw Coco and The Land of the Dead 10 50\r\nHow to Draw Dangerous Snakes and Lizards Species 1 5\r\nHow to Draw Real Monster Trucks and Cars 1 5\r\nHow to Draw Animal World of The Nut Job 2 1 5\r\nHow to Draw Batman Legends in Lego Style 1 5\r\nAppendix 2 – List of SHA256 hashes\r\n08a595d274c5988a975a2746705422cbf110ce1de6e0b66fd798acc961a30687\r\nd49b4359851e1bc4d66510412e111115fff19bbafc92fabee51229e1876b649d\r\n952cccf1b4149110dbc336b8925c5d8e4a3d71c60969b2d6127a4bf9bb7ba08d\r\n19566767d6b1e340436a520a30af7febf480e812443f435fc4800c7a1d27248e\r\n14f1829a9d3c38a45c869c28ee8cde1e4e67cd5a637b22edb62de01e3faf7932\r\n34d1a4a40a959d2c4219dfc5ca7e4b6aa9771ad1c577baf0a2fe16b655e9837d\r\n89e0bfae364ce7e9319c4e7fe365eb68f8d590d5f3d81abad4b81ce78736d4a2\r\nc12a75a55e6bd72945a74497b72f448eb8303605a8a1418a7e33abf25a447b48\r\ne06a932be78bc9431c4cd876a45d504f30c3d9032fbfa2945eaf1a42c5b040f8\r\nbfe453afb0afd92d42362bdc662c8cede2b35f004c9031ab6461fb765cf0c893\r\n281db6373f5b40dffa88ce9cb054eb3744bc95d51089b067549f7166c1a3075d\r\na309d862ed007befa05cfd36a8ddb64fe4f39fd7298890d2c5f4c38d3a6fd39a\r\na571bb83695b79a4521e7a297b5b4cd04e3a18e2c4a58b796ba6ac68e0634f5f\r\n3d3e8e48db16546f7c4d1195cd87c1c705f16e9208c5a91a36a9df8686e6bcd5\r\n6dd8096ad8d8f4065153f20247e2391ca0bfd8d269e31523dd4907102527ee0b\r\nhttps://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/\r\nPage 7 of 8\n\n73561c69d590f0a74528b3579581c9d2a157c36f6abfb90a1188bffd88549de9\r\n4e4ca96b22aeb5e990548cbc3c9ac9266dce055b6a74ca8202b2a43f6a0945f2\r\nf9bff59ed24bb8c873ce209239e18a3209cd311fd911ce9fd4ec4087e242ed27\r\n31304f5387025f5016d4716ed0943193b9e58acf22dbf904db8a160864642309\r\nb908f2c4163d7ce0b20581d65395c2ebc2b866dc0a709ef4deda2038a519e3ad\r\n653e9fab85fda60460c4374666c9513ce85967eafd279a687b80b622c1631ff2\r\n564313b6d07bc54482671b010e23095fcb35fd1402cbf8464bc2b3f9e4a5f3c6\r\n67f93cc2fc5dd4df95618399afc3b7070310b88d9b7e1b817b97e493a1eac076\r\n82f41c08c4d48960083c83625a77e6f8cae62e4c2548d3a21128b23c7abf570c\r\n64da0f06b505a2dbe3f6516c117ffaa1af44593733b44a3a796400c5a4d982e5\r\nf0921f0cbaaecd517f900988b2a220f71e28a67587c8a811c4a56397223dd7d6\r\na40d4621097afed5670c9c4da87603cb2f3a70da7d14d9b4340c58a67d9cf6f4\r\n5302cf3afc9d16a9bcd6c05e2d6bdac54689f0119d61037fe53b0e02e1753e1b\r\n8a94245757531eb074a0ac94b78871d161f87d46a36f0e8f8c62938e2a02ae84\r\n8b2ec78b63e469129ae84cf23f3942d5e5b63fcc42348c5ffa4722a57355488d\r\nac5a0bec8e5b6e08649b40a67e6f9786f83c9e54b8d870bc8c5e4b0e0fb6e6c1\r\n0d8d1eece839fa842f2bc6b8b3f6f15494f4e02a14f51fd7a4bf9971a87756d5\r\nd33b27e37bd7c59e36bc7eabcc0e576f735d0bc39f7b3f1796926ba0e0745742\r\nSource: https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/\r\nhttps://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/\r\nPage 8 of 8\n\nDrawing Temple Bandicoot Lessons Lego Jungle Chima Run 5,000 1,000 10,000 5,000\nBlockcraft 3D 1,000 5,000\nJungle Survival Craft 1.0 1,000 5,000\nEasy Draw Octonauts 1,000 5,000\nhalloweenskinsforminecraft  1,000 5,000\n  Page 5 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/"
	],
	"report_names": [
		"malware-displaying-porn-ads-discovered-in-game-apps-on-google-play"
	],
	"threat_actors": [
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434379,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4110152f846335e04e2288611d2f082b19cbeffa.pdf",
		"text": "https://archive.orkl.eu/4110152f846335e04e2288611d2f082b19cbeffa.txt",
		"img": "https://archive.orkl.eu/4110152f846335e04e2288611d2f082b19cbeffa.jpg"
	}
}