Not too long ago, Alexander Blade released ScriptHookV which opened the world of modding to Grand Theft Auto V on the PC. While Blade’s tool allows gamers to use and create some awesome content, the way it works is also inherent to many caveats. One of these caveats was recently exposed when it was discovered that popular GTA V mods contain malware.
ScriptHookV uses DLL injection and asi assembly files to run user created code in the game. While it is smart to mod any game with caution, this method is especially risky. DLL injection allows any foreign code to be run without the game knowing what is actually happening. Furthermore, DLL and asi files can also gain full access to a user's system and have the same amount of control as any executable. This means that gamers are completely vulnerable to viruses when using these methods of modding.
About a day ago, GTAForums user aboutseven discovered a strange process running in the background of his computer. Upon further investigation, he found that they lead to a malicious executable, fade.exe. The executable took over a system process and forcibly changed the Windows logon registry to start itself on launch. It was later discovered that fade.exe was collecting keystrokes and sending them to a remote IP address. This means the mod author is able to collect various sorts of sensitive information such as passwords and credit cards.
As of now, the only two mods that have been confirmed to have malicious code are Angry Planes and NoClip. It appears that the original mod authors added in the malware after their mods gained popularity. While this is the case for these two mods, it is also possible for people to falsely re-upload mods with their own malware injected. Regardless, it is wise to always be careful when installing mods.
Luckily, aboutseven has updated his original post with instructions on how to remove fade.exe and associated malware. It should be noted, however, that there are many different kinds of malicious software that could be obtained via modding, so it is smart for gamers to ensure their computer is protected with anti-malware software. Unfortunately, anti-malware won’t always be able to detect the mod malware until after it has been installed.
Due to the nature of asi and DLL files, it is very hard to scan them for malware. The only easy way to tell if a mod contains malware is to run it with GTA. This certainly isn’t an easy task when you account for all the different mods and distributors that currently exist. There are some sites, like GTA5-Mods, that have now implemented a lengthy approval process for all asi and DLL mods. Fortunately, there are other types of mod files, such as .lua and .cs, that allow the source code of the mod to be easily viewed, edited, and verified. There are also .rpf mods that are almost ensured to be system-safe considering they are solely a part of GTA’s file system.