Google’s Play Store has been in the constant fire for allowing malware wreak havoc in its users. A warning has been issued to millions of Android users as researchers from ESET discovered a new campaign that affected dozens of apps.
The campaign has affected a total of 42 apps, 21 of which are still active and available on Google Play Store by the time of the discovery. Following ESET’s report, however, all the affected apps were removed from the Play Store.
A year-long campaign in the Play Store with over 8 million downloads
The campaign has been active on Google’s Play Store for a year now and has racked in an astonishing 8 million downloads. But some of these apps could still be available in other third-party stores. Below are some of the apps that were affected by the malware:
According to ESET’s report, most of the newly discovered Android adware were disguised in gaming and utility apps. Still, these apps provide the functionality they promise, however, they sneak in intrusive ads. The adware was classified by ESET as Android/AdDisplay.Ashas.
How does the Android adware work?
Adware is a type of malware that hides your device so it can serve you unwanted adverts, which includes scam ads. Additionally, these adware-containing apps can drain your battery faster than usual, increase network traffic, and will gather your data without your knowledge.
Upon launching, these apps send smartphone data such as device type, operating system version, number of installed apps, language, free storage space, and if your device is rooted or is on Developer mode to its C&C server. Surprisingly, the apps also informed the server whether Facebook or Messenger was installed in the device.
Then, the server communicates the configuration data required for displaying ads from the server. The affected apps subsequently show full-screen ads on top of the other apps. Aside from that, the server also sends configuration for stealth and resilience making it even harder for users to detect the adware. ESET says that all 42 apps work the same.
Apps have misleading apps making it harder to detect
ESET found that these apps used a few creative techniques to avoid detection. First, the app will try to determine whether it is being tested by the Google Play security mechanism. If the handset falls in the range of known IP addresses for Google server, it receives an ‘isGoogleIp’ flag from its server. And if it does, it doesn’t trigger the adware.
Second, the server sets a custom delay between displaying two ads. Tests conducted by ESET show that apps are displaying 24 minutes after the device has been unlocked. With this, it helps the server bypass the testing procedure, which usually just takes about 10 minutes. ESET notes that the longer the delay, the more chance the app bypassing the procedure.
Lastly, this technique is based on server response which enabled the app to hide its icon and make a shortcut instead. For example, if the user tries to uninstall the app from the drawer, they would just end up removing just the shortcut. Sadly, the app would just run in the background still displaying those intrusive fullscreen ads.
Developer tracked down in Vietnam
ESET’s team tracked down the developer of this Android adware to a university student living in Hanoi, Vietnam. The developer’s identity was not disclosed to the public but the researchers found that he is the campaign’s operator and owner of the C&C server.
The developer’s intentions weren’t bad at first, not all apps contained the adware in their initial versions and they were really clean and legitimate apps. Eventually, the adware codes were pushed into the apps through updates. He was probably trying to increase the ad revenue of his apps as some of his published apps don’t show intrusive ads.
The developer did not protect his identity at all so he was easily traced. Personal information such as email address, phone number, University ID, Facebook account, YouTube channel, and many others were all out in the open that ESET easily found him. Furthermore, the developer also has apps in Apple’s App Store, however, none contain the adware functionality.