Do you know who your mobile games talk to?

2 min read
Aug 10, 2021

One of the most deceiving things about mobile apps, and social media apps is that you’re never really sure where they come from. You can often read about the authors, but nothing really says what happens when you engage the app from any device or platform. While at Black Hat USA 2021 we announced that our threat detection team discovered and documented suspicious behavior on two popular websites (Playrix[.]com and a subdomain of Yandex[.]com) that are hosted in Russia and expose unknowing visitors to malware downloads.

It’s an extremely frustrating case as well because various INFOSEC and domain rating websites continue to waver on whether these sites are malicious in nature. We pose this question right up front: If your employees are engaging their social media games on their personal devices via your provisioned free WiFi or via company resources, are you comfortable with the redirected connections to domains associated with hosting malware?

Playrix is a legitimate, non-malicious mobile gaming business. They are responsible for free mobile games such as Fishdom, Gardenscapes, and even Township for iOS and Android. They are the third-largest mobile game developer in the world. Yandex on the other hand is a multinational corporation providing over 70 internet-related services. It is mostly a Russian company and owns the largest search engine on the Internet in the Russian language, with a market share of over 52%. It is touted as the 5th largest search engine in the world. Additionally, Yandex Metrica ( is a very popular website analytics and tracking service, like Google Analytics, and is even popular with hosting companies like Wix who provide readily available plugins to include Yandex Metrica for visitor marketing analytics.

However, we saw what we saw. We were surprised to see that clients who landed on the Playrix website were redirected to the Yandex subdomain. We are confident that someone using a cookie pop-up has hijacked Playrix and redirects potential victims to a subdomain of Yandex that will most likely place a user device or organization’s network at risk of infection. The threat research team was able to track over 20 known malicious files (malware) specifically coded to reach back to the identified Yandex subdomain. Furthermore, Alienvault indicates they see 873 malicious files communicating with the suspicious subdomain.

“This discovery illustrates just how easy it is for innocent visitors to be exposed to malware. It reinforces the point that we need to make sure our employees understand how to safely navigate the Internet and that companies need use advanced cybersecurity innovations to protect their employees and critical assets.”

Gary Davis, Chief Evangelist

Download your free copy of the discovery report here.

Resources that might interest you.