ESET experts calculated author of 42 applications that were hosted on Google Play and showed intrusive ads to users. It turned out to be a Vietnamese student that wanted to increase his income.
In total, applications containing adware Android / AdDisplay.Ashas have been installed more than 8,000,000 times.“We identified 42 apps on Google Play as belonging to the campaign, which had been running since July 2018. We reported the apps to the Google security team and they were swiftly removed. However, the apps are still available in third-party app stores. All the apps provide the functionality they promise, besides working as adware”, — report ESET specialists.
Researchers conclude that applications were not immediately infected with Ashas.
Obviously, the malware appeared in the code over time, when the developer decided to turn his legitimate application development business into a not entirely legal advertising business, showing users full-screen ads on top of other application windows.
Read also: Exploitation of the vulnerability in Avira antivirus can increase system privileges
The developer has made efforts to mask the malicious activity of his products. So, an advertisement began to appear no earlier than 24 minutes after interacting with an infected application and often tried to mislead the victim, as it contained logos of other applications, for example, the Google Play Store.
“The various stealth and resilience techniques implemented in the adware show us that the culprit was aware of the malicious nature of the added functionality and attempted to keep it hidden”, — say ESET researchers.
According to ESET, a student from Vietnam stands behind the development of 42 infected applications, whose names the researchers did not disclose. He began uploading the malware to the official catalog in July 2018, and at the time of the discovery of the threat by the researchers, 21 applications were still active.
Since the student began by developing and publishing “clean” applications, he did not take any precautions to hide his identity in earlier versions of his products. As a result, the experts managed to associate the email addresses that he used to register advertising domains with his personal accounts on GitHub, YouTube and, ultimately, on Facebook.
