We detected a large adware campaign running for about a year, with the involved apps installed eight million times from Google Play alone.
We identified 42 apps on Google Play as belonging to the campaign, which had been running since July 2018. Of those, 21 were still available at the time of discovery. We reported the apps to the Google security team and they were swiftly removed. However, the apps are still available in third-party app stores. ESET detects this adware, collectively, as Android/AdDisplay.Ashas.
Figure 1. Apps of the Android/AdDisplay.Ashas family reported to Google by ESET
Figure 2. The most popular member of the Android/AdDisplay.Ashas family on Google Play was “Video downloader master” with over five million downloads
All the apps provide the functionality they promise, besides working as adware. The adware functionality is the same in all the apps we analyzed. [Note: The analysis of the functionality below describes a single app, but applies to all apps of the Android/AdDisplay.Ashas family.]
Once launched, the app starts to communicate with its C&C server (whose IP address is base64-encoded in the app). It sends “home” key data about the affected device: device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and Developer mode enabled, and whether Facebook and FB Messenger are installed.
Figure 3. Sending information about the affected device
The app receives configuration data from the C&C server, needed for displaying ads, and for stealth and resilience.
Figure 4. Configuration file received from the C&C server
As for stealth and resilience, the attacker uses a number of tricks.
First, the malicious app tries to determine whether it is being tested by the Google Play security mechanism. For this purpose, the app receives from the C&C server the isGoogleIp flag, which indicates whether the IP address of the affected device falls within the range of known IP addresses for Google servers. If the server returns this flag as positive, the app will not trigger the adware payload.
Second, the app can set a custom delay between displaying ads. The samples we have seen had their configuration set to delay displaying the first ad by 24 minutes after the device unlocks. This delay means that a typical testing procedure, which takes less than 10 minutes, will not detect any unwanted behavior. Also, the longer the delay, the lower the risk of the user associating the unwanted ads with a particular app.
Third, based on the server response, the app can also hide its icon and create a shortcut instead. If a typical user tries to get rid of the malicious app, chances are that only the shortcut ends up getting removed. The app then continues to run in the background without the user’s knowledge. This stealth technique has been gaining popularity among adware-related threats distributed via Google Play.
Figure 5. Time delay to postpone displaying ads implemented by the adware
Once the malicious app receives its configuration data, the affected device is ready to display ads as per the attacker’s choice; each ad is displayed as a full screen activity. If the user wants to check which app is responsible for the ad being displayed, by hitting the “Recent apps” button, another trick is used: the app displays a Facebook or Google icon, as seen in Figure 6. The adware mimics these two apps to look legitimate and avoid suspicion – and thus stay on the affected device for as long as possible.
Figure 6. The adware activity impersonates Facebook (left). If the user long-presses the icon, the name of the app responsible for the activity is revealed (right).
Finally, the Ashas adware family has its code hidden under the com.google.xxx package name. This trick – posing as a part of a legitimate Google service – may help avoid scrutiny. Some detection mechanisms and sandboxes may whitelist such package names, in an effort to prevent wasting resources.
Figure 7. Malicious code hidden in a package named “com.google”
Hunting down the developer
Using open-source information, we tracked down the developer of the adware, who we also identified as the campaign’s operator and owner of the C&C server. In the following paragraphs, we outline our efforts to discover other applications from the same developer and protect our users from it.
First, based on information that is associated with the registered C&C domain, we identified the name of the registrant, along with further data like country and email address, as seen in Figure 8.
Figure 8. Information about the C&C domain used by the Ashas adware
Knowing that the information provided to a domain registrar might be fake, we continued our search. The email address and country information drove us to a list of students attending a class at a Vietnamese university – corroborating the existence of the person under whose name the domain was registered.
Figure 9. A university class student list including the C&C domain registrant
Due to poor privacy practices on the part of our culprit’s university, we now know his date of birth (probably: he seemingly used his birth year as part of his Gmail address, as further partial confirmation), we know that he was a student and what university he attended. We were also able to confirm that the phone number he provided to the domain registrar was genuine. Moreover, we retrieved his University ID; a quick googling showed some of his exam grades. However, his study results are out of the scope of our research.
Based on our culprit’s email address, we were able to find his GitHub repository. His repository proves that he is indeed an Android developer, but it contained no publicly available code of the Ashas adware at the time of writing of this blogpost.
However, a simple Google search for the adware package name returned a “TestDelete” project that had been available in his repository at some point
The malicious developer also has apps in Apple’s App Store. Some of them are iOS versions of the ones removed from Google Play, but none contain adware functionality.
Figure 10. The malicious developer’s apps published on the App Store which don’t contain the Ashas adware
Searching further for the malicious developer’s activities, we also discovered his Youtube channel propagating the Ashas adware and his other projects. As for the Ashas family, one of the associated promotional videos, “Head Soccer World Champion 2018 – Android, ios” was viewed almost three million times and two others reached hundreds of thousands of views, as seen in Figure 11.
Figure 11. YouTube channel of the malicious developer
His YouTube channel provided us with another valuable piece of information: he himself features in a video tutorial for one of his other projects. Thanks to that project, we were able to extract his Facebook profile – which lists his studies at the aforementioned university.
Figure 12. Facebook profile of the C&C domain registrar (cover picture and profile picture edited out)
Linked on the malicious developer’s Facebook profile, we discovered a Facebook page, Minigameshouse, and an associated domain, minigameshouse[.]net. This domain is similar to the one the malware author used for his adware C&C communication, minigameshouse[.]us.
Checking this Minigameshouse page further indicates that this person is indeed the owner of the minigameshouse[.]us domain: the phone number registered with this domain is the same as the phone number appearing on the Facebook page.
Figure 13. Facebook page managed by the C&C domain registrant uses the same base domain name (minigameshouse) and phone number as the registered malicious C&C used by the Ashas adware
Of interest is that on the Minigameshouse Facebook page, the malicious developer promotes a slew of games beyond the Ashas family for download on both Google Play and the App Store. However, all of those have been removed from Google Play – despite the fact that some of them didn’t contain any adware functionality.
On top of all this, one of the malicious developer’s YouTube videos – a tutorial on developing an “Instant Game” for Facebook – serves as an example of operational security completely ignored. We were able to see that his recently visited web sites were Google Play pages belonging to apps containing the Ashas adware. He also used his email account to log into various services in the video, which identifies him as the adware domain owner, beyond any doubt.
Thanks to the video, we were even able to identify three further apps that contained adware functionality and were available on Google Play.
Figure 14. Screenshots from this developer’s YouTube video shows history of checking Ashas adware on Google Play
Figure 15. ESET detections of Android/AdDisplay.Ashas on Android devices by country
Is adware harmful?
Because the real nature of apps containing adware is usually hidden to the user, these apps and their developers should be considered untrustworthy. When installed on a device, apps containing adware may, among other things:
- Annoy users with intrusive advertisements, including scam ads
- Waste the device’s battery resources
- Generate increased network traffic
- Gather users’ personal information
- Hide their presence on the affected device to achieve persistence
- Generate revenue for their operator without any user interaction
Based solely on open source intelligence, we were able to trace the developer of the Ashas adware and establish his identity and discover additional related adware-infected apps. Seeing that the developer did not take any measures to protect his identity, it seems likely that his intentions weren’t dishonest at first – and this is also supported by the fact that not all his published apps contained unwanted ads.
At some point in his Google Play “career”, he apparently decided to increase his ad revenue by implementing adware functionality in his apps’ code. The various stealth and resilience techniques implemented in the adware show us that the culprit was aware of the malicious nature of the added functionality and attempted to keep it hidden.
Sneaking unwanted or harmful functionality into popular, benign apps is a common practice among “bad” developers, and we are committed to tracking down such apps. We report them to Google and take other steps to disrupt malicious campaigns we discover. Last but not least, we publish our findings to help Android users protect themselves.
Indicators of Compromise (IoCs)
MITRE ATT&CK techniques
|Initial Access||T1475||Deliver Malicious App via Authorized App Store||The malware impersonates legitimate services on Google Play|
|Persistence||T1402||App Auto-Start at Device Boot||An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app’s functionality will be activated every time the device starts|
|Impact||T1472||Generate Fraudulent Advertising Revenue||Generates revenue by automatically displaying ads|
Kudos to @jaymin9687 for bringing the problem of unwanted ads in the “Video downloader master” app to our attention.