Android adware spread via 42 Play Store apps by a Vietnamese student

42 Google Play Store apps involved in the Ashas adware campaign were downloaded for over 8 million times

Android adware spread via 42 Play Store apps by a Vietnamese student42 Play Store apps got involved in an advertising campaign and were downloaded for around 8 million times

Security experts have discovered 42 Google Play Store apps involved in an adware campaign since July 2018. Half of these applications were still recently active and included various video downloading programs, music players, gallery, note recorder services, and several gaming applications.

The mentioned apps and a lot more of Play Store programs were used for an adware campaign dubbed Ashas that was developed by a student from Hanoi, Vietnam. According to security reports, the 42 apps were installed for around eight million times since they were first released.[1]

However, not all primary versions of the produced applications held adware inside as the developer released the apps for legitimate business at first until he decided to run an adware campaign instead. Once the student was running his business legally, he did not tend to hide the identity which made him easily exposable now.

The app runs ads 24 minutes after installation and comes camouflaged with a logo from Facebook or Google

Once an adware-based application is downloaded on the user's mobile phone device and activated, the app makes contact with a Command and Control server and gathers some information about the affected Android device such as the type, operating system version, language used, space left, the number of programs already installed, the availability of Facebook or Messenger, battery condition, and if the developer mode has been activated.

Afterward, the installed application checks if Google Play security services are spying on it or not. If the safety mechanism is activated, the app avoids launching its suspicious content on the device. However, if everything is operating properly, the app waits 24 minutes after its installation before targetting the user's device with suspicious offers and deals.[2] Additionally, the adware tries to convince users about its safe nature and provides ads containing fake Google or Facebook logos.[3]

The adware developers will supposedly not have to face any serious consequences

According to researchers, the adware developer was not hard to track down as he did not keep the identity secret in the first place. Experts tended to search for information related to the registered Command and Control server[4] that belonged to the adware developer.

The research revealed the email that is associated with the Command and Control domain and that it is based in Hanoi, Vietnam, also a mobile phone number, the domain, and registrar names. Experts discovered some clues that the data belongs to a student from Vietnamese and found out that it was true.

Even though this person inserted adware into Google Play Store applications without notifying anyone, there is very little chance that he will face bad consequences as law agencies are interested in catching real hackers that get involved in massive incidents and not just “try” some type of bogus activity.

The infected applications have been already removed from the Play Store, however, some of them might still be promoted in third-party stores. Go through the entire list[5] of questionable applications and make sure that you do not download some to your Android phone.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions