Rogue Minecraft Skins Infect 50,000 Players With Malware [UPDATE]

Minecraft skins.
Minecraft skins.
Image: Minecraft

Skins uploaded to the official Minecraft site have affected over 50,000 Minecraft accounts with malware, according to a report by security firm Avast.

The skins are pretty typical-looking: One’s a yellow suit with a face mask, another’s a blue hoodie getup. In the last 10 days, Avast’s antivirus software has blocked a reported 14,500 attempts to infect users’ computers. Any of Minecraft’s 74 million players could download these skins off Minecraft’s site. nce downloaded, malware inside the skins’ files could reformat infected users’ hard drives and delete backup data.

Minecraft skins that have reportedly affected players.
Minecraft skins that have reportedly affected players.
Image: Avast

Infected users have also received messages in their Minecraft account inbox reading, “Your ass got glued, “You have maxed your internet usage for a lifetime,” and “You Are Nailed, But A New Computer This Is A Piece Of Shit.”

Microsoft said the infected skins are no longer available to download. “We have addressed this issue and put additional measures in place to protect our community,” a company spokesperson told Kotaku.

[Update—3:24 pm ET]: Minecraft’s developers elaborated on the malware attack in a blog post. It noted that any Minecraft player can upload a skin as a PNG file, but PNG files can contain malicious code. It added, “this code would not be run or read by the game itself. While your antivirus software might detect this code and alert you to its presence, the code would not be able to run by itself.”

A new update deletes superfluous information—like potentially damaging code—from skins’ files.

Senior reporter at Kotaku.

Share This Story

Get our `newsletter`



How does a player skin, which should be just an image file, manage to contain malware and execute it on users’ machines?