![\"\"](\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2019\/10\/Figure-1-1.png\")
<\/a><\/figure>\n\n\n\nFigure 1. Apps of the Android\/AdDisplay.Ashas family reported to Google by ESET<\/em><\/p>\n\n\n\n Figure 2. The most popular member of the Android\/AdDisplay.Ashas family on Google Play was \u201cVideo downloader master\u201d with over five million downloads<\/em><\/p>\n\n\n\n All the apps provide the functionality they promise, besides working as adware. The adware functionality is the same in all the apps we analyzed. [Note: The analysis of the functionality below describes a single app, but applies to all apps of the Android\/AdDisplay.Ashas family.]<\/p>\n\n\n\n Once launched, the app starts to communicate with its C&C server (whose IP address is base64-encoded in the app). It sends \u201chome\u201d key data about the affected device: device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and Developer mode<\/em> enabled, and whether Facebook and FB Messenger are installed.<\/p>\n\n\n\n Figure 3. Sending information about the affected device<\/em><\/p>\n\n\n\n The app receives configuration data from the C&C server, needed for displaying ads, and for stealth and resilience.<\/p>\n\n\n\n Figure 4. Configuration file received from the C&C server<\/em><\/p>\n\n\n\n As for stealth and resilience, the attacker uses a number of tricks.<\/p>\n\n\n\n First, the malicious app tries to determine whether it is being tested by the Google Play security mechanism. For this purpose, the app receives from the C&C server the isGoogleIp<\/em> flag, which indicates whether the IP address of the affected device falls within the range of known IP addresses for Google servers. If the server returns this flag as positive, the app will not trigger the adware payload.<\/p>\n\n\n\n Second, the app can set a custom delay between displaying ads. The samples we have seen had their configuration set to delay displaying the first ad by 24 minutes after the device unlocks. This delay means that a typical testing procedure, which takes less than 10 minutes, will not detect any unwanted behavior. Also, the longer the delay, the lower the risk of the user associating the unwanted ads with a particular app.<\/p>\n\n\n\n Third, based on the server response, the app can also hide its icon and create a shortcut instead. If a typical user tries to get rid of the malicious app, chances are that only the shortcut ends up getting removed. The app then continues to run in the background without the user\u2019s knowledge. This stealth technique has been gaining popularity among adware-related threats distributed via Google Play.<\/p>\n\n\n\n Figure 5. Time delay to postpone displaying ads implemented by the adware<\/em><\/p>\n\n\n\n Once the malicious app receives its configuration data, the affected device is ready to display ads as per the attacker\u2019s choice; each ad is displayed as a full screen activity. If the user wants to check which app is responsible for the ad being displayed, by hitting the \u201cRecent apps\u201d button, another trick is used: the app displays a Facebook or Google icon, as seen in Figure 6. The adware mimics these two apps to look legitimate and avoid suspicion \u2013 and thus stay on the affected device for as long as possible.<\/p>\n\n\n\n Figure 6. The adware activity impersonates Facebook (left). If the user long-presses the icon, the name of the app responsible for the activity is revealed (right).<\/em><\/p>\n\n\n\n Finally, the Ashas adware family has its code hidden under the com.google.xxx<\/em> package name. This trick \u2013 posing as a part of a legitimate Google service \u2013 may help avoid scrutiny. Some detection mechanisms and sandboxes may whitelist such package names, in an effort to prevent wasting resources.<\/p>\n\n\n\n Figure 7. Malicious code hidden in a package named \u201ccom.google\u201d<\/em><\/p>\n\n\n\n Using open-source information, we tracked down the developer of the adware, who we also identified as the campaign\u2019s operator and owner of the C&C server. In the following paragraphs, we outline our efforts to discover other applications from the same developer and protect our users from it.<\/p>\n\n\n\n First, based on information that is associated with the registered C&C domain, we identified the name of the registrant, along with further data like country and email address, as seen in Figure 8.<\/p>\n\n\n\n Figure 8. Information about the C&C domain used by the Ashas adware<\/em><\/p>\n\n\n\n Knowing that the information provided to a domain registrar might be fake, we continued our search. The email address and country information drove us to a list of students attending a class at a Vietnamese university \u2013 corroborating the existence of the person under whose name the domain was registered.<\/p>\n\n\n\n Figure 9. A university class student list including the C&C domain registrant<\/em><\/p>\n\n\n\n Due to poor privacy practices on the part of our culprit\u2019s university, we now know his date of birth (probably: he seemingly used his birth year as part of his Gmail address, as further partial confirmation), we know that he was a student and what university he attended. We were also able to confirm that the phone number he provided to the domain registrar was genuine. Moreover, we retrieved his University ID; a quick googling showed some of his exam grades. However, his study results are out of the scope of our research.<\/p>\n\n\n\n Based on our culprit\u2019s email address, we were able to find his GitHub repository. His repository proves that he is indeed an Android developer, but it contained no publicly available code of the Ashas adware at the time of writing of this blogpost.<\/p>\n\n\n\n However, a simple Google search for the adware package name returned a \u201cTestDelete\u201d project that had been available in his repository at some point<\/p>\n\n\n\n The malicious developer also has apps in Apple\u2019s App Store. Some of them are iOS versions of the ones removed from Google Play, but none contain adware functionality.<\/p>\n\n\n\n Figure 10. The malicious developer\u2019s apps published on the App Store which don\u2019t contain the Ashas adware<\/em><\/p>\n\n\n\n Searching further for the malicious developer\u2019s activities, we also discovered his Youtube channel propagating the Ashas adware and his other projects. As for the Ashas family, one of the associated promotional videos, \u201cHead Soccer World Champion 2018 \u2013 Android, ios\u201d was viewed almost three million times and two others reached hundreds of thousands of views, as seen in Figure 11.<\/p>\n\n\n\n Figure 11. YouTube channel of the malicious developer<\/em><\/p>\n\n\n\n His YouTube channel provided us with another valuable piece of information: he himself features in a video tutorial for one of his other projects. Thanks to that project, we were able to extract his Facebook profile \u2013 which lists his studies at the aforementioned university.<\/p>\n\n\n\n Figure 12. Facebook profile of the C&C domain registrar (cover picture and profile picture edited out)<\/em><\/p>\n\n\n\n Linked on the malicious developer\u2019s Facebook profile, we discovered a Facebook page, Minigameshouse<\/em>, and an associated domain, minigameshouse[.]net. This domain is similar to the one the malware author used for his adware C&C communication, minigameshouse[.]us.<\/p>\n\n\n\n Checking this Minigameshouse<\/em> page further indicates that this person is indeed the owner of the minigameshouse[.]us domain: the phone number registered with this domain is the same as the phone number appearing on the Facebook page.<\/p>\n\n\n\n Figure 13. Facebook page managed by the C&C domain registrant uses the same base domain name (minigameshouse) and phone number as the registered malicious C&C used by the Ashas adware<\/em><\/p>\n\n\n\n Of interest is that on the Minigameshouse<\/em> Facebook page, the malicious developer promotes a slew of games beyond the Ashas family for download on both Google Play and the App Store. However, all of those have been removed from Google Play \u2013 despite the fact that some of them didn\u2019t contain any adware functionality.<\/p>\n\n\n\n On top of all this, one of the malicious developer\u2019s YouTube videos \u2013 a tutorial on developing an \u201cInstant Game\u201d for Facebook \u2013 serves as an example of operational security completely ignored. We were able to see that his recently visited web sites were Google Play pages belonging to apps containing the Ashas adware. He also used his email account to log into various services in the video, which identifies him as the adware domain owner, beyond any doubt.<\/p>\n\n\n\n Thanks to the video, we were even able to identify three further apps that contained adware functionality and were available on Google Play.<\/p>\n\n\n\n<\/a><\/figure>\n\n\n\nAshas functionality<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\nHunting down the developer<\/h2>\n\n\n\n
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n