With over 2.8 million available apps in Google’s Play Store, malicious actors can occasionally slip through Google’s stringent verification system.

ESET researchers have detected 42 Android apps in the Google Play store using several tricks to stay hidden. ESET says 21 of them were active at the time of the discovery.

This money-making adware campaign has been reportedly running for about a year now, with the involved Android apps installed eight million times from Google Play alone.

These apps have been identified as belonging to the Android/AdDisplay.Ashas family. They can steal key data about the affected device, Lukas Stefanko, a malware researcher working with ESET, wrote in a blog post today.

Apps of the Android/AdDisplay.Ashas family reported to Google by ESET. Image from ESET.

The malicious apps were removed by the Google security team after being reported. However, certain third-party app stores still house these apps.

The tricks that the attacker uses for stealth, resilience and displaying ads include mimicking Google and Facebook apps to avoid suspicion, and deleting their shortcut icon for longer resilience and making them more difficult to remove.

ESET researchers also found that the developer had appended many of the package names with “com.google”, which can sometimes bypass simple name-checking algorithms and certain sandboxes.

Is adware harmful? The answer is yes

The users of apps containing adware usually do not understand the real nature of these malicious apps. This is the reason why it is important not to trust these apps or their developers. They look absolutely normal but act maliciously by:

  • Gathering personal information and device information of the user
  • Scamming users with intrusive ads
  • Wasting the battery resources of the users’ devices
  • Generating increased network traffic

About the attacker

ESET tracked down the operator of this campaign and developer of the adware using open-source information. A student at an Vietnamese university, he has also been identified as the owner of the C&C server. In addition, he also has some apps in Apple’s app store. Some of them are iOS versions of the apps that have been removed from Google Play, however none contain adware functionality, wrote Stefanko.

ESET researchers also discovered that the attacker’s Youtube channel propagates the Ashas adware and his other projects. As for the Ashas family, one of the associated promotional videos, “Head Soccer World Champion 2018 – Android, iOS” was viewed almost three million times and two others reached hundreds of thousands of views, the blog reported.

The researchers were also able to extract the malicious developer’s Facebook profile. Linked on his profile, researchers found a Facebook page – Minigameshouse, and an associated domain – minigameshouse[.]net. Through this, he promotes a large number of games beyond the Ashas family for download on both Google Play and the App store. Some of them did not contain any adware functionality, however Google has still removed all of them from Google Play.



Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA
Download Now