ESET, a Bratislava, Slovakia-based antivirus and internet security solutions company, recently discovered an Android adware campaign affecting millions of users. The campaign was active on Google Play for over a year, racking up a staggering eight million downloads.
A total of 42 apps were part of this adware campaign, of which 21 were still available on Google Play at the time of discovery. All of these apps have been removed from the store following ESET’s report. Some of these apps may still be available on third-party app stores, though.
According to ESET’s report, most of the newly discovered Android adware were utility and simple gaming apps. And while they provide the functionality they promise, they sneak in intrusive ads as well. ESET classifies this adware as Android/AdDisplay.Ashas.
On launching, these apps send smartphone data that may include device type, OS version, language, number of installed apps, free storage space, battery status, and if the device is rooted or is on Developer mode to its C&C server. The apps also informed the server if Facebook or Messenger were installed.
The server then communicates the configuration data needed for displaying ads from the server. The apps subsequently show fullscreen ads overlaid on top of other apps. The server also sends configuration for stealth and resilience, so as to make it harder for users to detect the adware. All of the 42 apps work the same way, ESET says.
Misleading names make it hard to detect
ESET found that these apps used several creative techniques to avoid detection. Firstly, the app tries to determine whether it is being tested by the Google Play security mechanism. It receives ‘isGoogleIp’ flag from its server, determining if the handset falls in the range of known IP addresses for Google servers. If it does, the app doesn’t trigger the adware.
The second trick used sets a custom delay between displaying two ads. ESET’s tests found the apps to be displaying ads 24 minutes after the device unlocks. This helps them bypass the testing procedure, which usually takes less than 10 minutes. As ESET notes, the longer the delay, the more chance of the app bypassing the security procedure.
The third trickery, which is based on the server response, enables the app to hide its icon and create a shortcut instead. So if a user tries to uninstall the app from the app drawer, he/she would end up removing just the shortcut. The app then continues to run in the background, displaying those intrusive fullscreen ads.
To make the matter worse for the user, hitting the “Recent apps” button when the ad is being displayed doesn’t give away anything either. The app shows the icon of Google or Facebook or some other icon to plausibly resemble an innocuous app. Further, these apps have their code hidden in a com.google.xxx package, which makes them look a part of a legitimate Google service.
Earlier this month, Sophos Labs had discovered 15 Android adware apps implementing similar methods for hiding.
Developer tracked down to Vietnam
ESET has tracked down the developer of this Android adware campaign to a university student living in Hanoi, Vietnam. His identity wasn’t made public but the researchers found that he was the campaign’s operator and owner of the C&C server.
ESET noted that the developer’s intentions may not be bad at first. Apparently, not all the apps contained the adware in their initial versions. They were legitimate and clean apps. The adware codes were pushed into them through updates. He was possibly trying to increase ad revenue from his apps. Also, some of his published apps don’t show these intrusive ads.
Further, the developer didn’t protect his information at all and so he was easily traced. His personal information was so open that ESET could find his email address, phone number, University ID, Facebook account, YouTube channel, GitHub repository, and much more with ease.
This developer also has apps in Apple’s App Store. However, none of them contain adware functionality.