One Student: 42 Malicious Google Play Adware Apps
One student, studying in Hanoi, Vietnam, was recently discovered to be behind 42 malicious adware apps, that were on Google Play and were downloaded by millions. The discovery was made by ESET security researcher, Lukas Stefanko.
The 42 Google Play Store apps involved in an adware campaign since July 2018. Half of these applications until recently were available on Google Play for downland and included several video downloading programs, music players, gallery, note recorder services, and several gaming applications. All seemingly, innocent, unassuming apps.
These apps were all host to an adware campaign dubbed “Ashas” (Android/AdDisplay.Ashas) a clever invention from the student from the unnamed Vietnamese university. According to security reports, the 42 apps were installed over eight million times since they were first released.
ESET identified that the aggressive Ashas adware was not featured on the initial versions of all of the 42 apps. However, eventually, the developer decided to turn from a legitimate app development business into an illegal adware and ad fraud operation.
At some point, all the apps received updates with the Ashas adware code. This code worked by showing fullscreen ads overlaid on top of other legitimate apps.
As the student began as a legitimate developer, he did not try to cover his identity. Thus, once he transitioned to an illegal ad fraud operation, it easy to track his identity and crimes.
“Seeing that the developer did not take any measures to protect his identity, it seems likely that his intentions weren’t dishonest at first,” Stefanko said in a blog post
“At some point in his Google Play career, he apparently decided to increase his ad revenue by implementing adware functionality in his apps’ code”.
How Exactly Did This Malicious Adware App Work?
When an adware-based app is downloaded and activated, the app makes connects with the ‘Command and Control server’ and gathers some information about the affected device such as the type, space left, operating system version, language used, the number of programs already installed, the availability of Facebook or Messenger, battery condition, and if the developer mode has been activated.
After, the installed application checks whether if Google Play security services are spying on it. If this is the case, the adware app’s safety mechanism is activated, the app avoids launching its suspicious content on the phone. However, if everything is operating properly, the app waits 24 minutes after its installation before targeting the user’s phone with suspicious offers, ads, and deals. The adware attempts to enhance its credibility by providing ads containing fake Google or Facebook logos.
“This is a relatively sophisticated operation. Not only does it display typical ad fraud techniques, in this case, a trojan app containing adware, but it also has in-built mechanisms to evade detection from both the device-owner and Google Play” said Devrim Cavusoglu, a data scientist from Interceptd.
Since all 42 adware apps did function as advertised, such as Radio functionality, or game functionality, it would have been quite difficult for most users to spot the rogue app and identify it as anything suspicious.
Additionally, as there is little public awareness about ad fraud and what is ad fraud, this also aided the lack of detection of these adware apps.
These adware apps, are apart of a larger organized crime of ad fraud. AdAge reported in 2015, that for every $3 spent on digital advertising, $1 goes to ad fraud. Little has changed since then. Ad fraud continues to take a large portion of digital and mobile advertising spend. Additionally, understanding is low.
The app had yet another layer of defense to evade detection: “If a typical user tries to get rid of the malicious app, chances are that only the shortcut ends up getting removed. The app then continues to run in the background without the user’s knowledge,” Stefanko said.
The researchers have said that the adware developer was not hard to track down, as he did not keep his identity secret from the start. Experts tend to look for information contained in the registered Command and Control server which belonged to the adware developer.
ESET was able to link emails he used to registered adware domains to personal accounts on GitHub, YouTube, and then finally Facebook.
The research showed that the email associated with the Command and Control domain was in Hanoi, Vietnam, a mobile phone number, the domain, and registrar names were also located. Experts followed up on these clues and found that the data belonged to a student from Hanoi Vietnam.
This person inserted adware into Google Play Store applications without notifying anyone, and there is very little chance that he will face judicial consequences as law agencies are only interested in catching real hackers that get involved in large-scale incidents and not just “try” some type of bogus activity. Due to law agencies not taking a firm stand on these matters Adware and ad fraud continue to proliferate the industry.
As many countries struggle to understand what is ad fraud, within a legal and judicial context, this also impedes lawmakers, legal professionals, and administrative authorities from apprehending ad fraud and adware criminals.
“The apps were reported to the Google security team by Stefanko and were swiftly removed,” ESET said. “However, the apps are still available in third-party app stores.”
The public is encouraged to go through the entire list of questionable applications and make sure that you do not download them onto your Android phone.
Some of the 42 apps were also present on Apple’s App Store, this is also encouraged for iOS users to check their iPhones for these apps. However, currently, none of these apps contain any adware functionality
See LIVE, the ad fraud prevention capabilities of Interceptd, to drive the healthy growth cycle of your app and empower your ROAS. Or, if you’d like to know more about what is ad fraud, then you can book a free consultation or 2-week trial here.