A large adware campaign ended up detected that was running for about a year, with the involved apps installed eight million times from Google Play alone, researchers said.
Forty-two apps were found on Google Play as belonging to the campaign, which had been running since July 2018, said researchers at ESET. Of those, 21 were still available at the time of discovery. ESET reported the apps to the Google security team and they were removed. However, the apps are still available in third-party app stores. ESET detected the adware as Android/AdDisplay.Ashas.
“All the apps provide the functionality they promise, besides working as adware,” said Lukas Stefanko, malware researcher at ESET in a post. “The adware functionality is the same in all the apps we analyzed. Once launched, the app starts to communicate with its C&C server (whose IP address is base64-encoded in the app). It sends ‘home’ key data about the affected device: Device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and Developer mode enabled, and whether Facebook and FB Messenger are installed. The app receives configuration data from the C&C server, needed for displaying ads, and for stealth and resilience.”
As for stealth and resilience, the attacker uses a number of tricks, Stefanko said.
First, the malicious app tries to determine whether it is being tested by the Google Play security mechanism, he said. For this purpose, the app receives from the C&C server the isGoogleIp flag, which indicates whether the IP address of the affected device falls within the range of known IP addresses for Google servers. If the server returns this flag as positive, the app will not trigger the adware payload.
Second, the app can set a custom delay between displaying ads, he said.
“The samples we have seen had their configuration set to delay displaying the first ad by 24 minutes after the device unlocks,” he said. “This delay means a typical testing procedure, which takes less than 10 minutes, will not detect any unwanted behavior. Also, the longer the delay, the lower the risk of the user associating the unwanted ads with a particular app.”
Third, based on the server response, the app can also hide its icon and create a shortcut instead, Stefanko said. If a typical user tries to get rid of the malicious app, chances are that only the shortcut ends up getting removed. The app then continues to run in the background without the user’s knowledge. This stealth technique has been gaining popularity among adware-related threats distributed via Google Play.
Once the malicious app receives its configuration data, the affected device is ready to display ads as per the attacker’s choice; each ad is displayed as a full screen activity.
Based solely on open source intelligence, we were able to trace the developer of the Ashas adware and establish his identity and discover additional related adware-infected apps, Stefanko said. Seeing that the developer did not take any measures to protect his identity, it seems likely that his intentions weren’t dishonest at first – and this is also supported by the fact that not all his published apps contained unwanted ads.
At some point in his Google Play “career”, he apparently decided to increase his ad revenue by implementing adware functionality in his apps’ code. The various stealth and resilience techniques implemented in the adware show us the culprit was aware of the malicious nature of the added functionality and attempted to keep it hidden.