A year-long investigation by ESET of an adware campaign found 42 apps on Google Play that had been downloaded 8 million times, along with the Vietnamese malicious actor behind the scheme.
The campaign has been active since July 2018, and while all the apps were reported to Google and removed, they can still be found in third-party app stores. The types of apps that fell into what ESET is calling the Ashas adware family ranged from free FM radio to games to file downloaders. All provided the functionality they promised, along with a healthy dose of adware.
Using information gleaned from open sources, plus the malicious developer’s incredibly poor sense of operational security, ESET was able to nail down the identity of the person behind the campaign. However, the company did not reveal the individual’s name.
The first bit of evidence came from the C&C server registration, which had a name, email, country, city and phone number. While double checking the veracity of the email provided, ESET was led to a list of students attending a Vietnamese university, where it was found that the name associated with the email was also listed as a student.
The now-confirmed email address also led to an empty GitHub repository, and a YouTube channel pushing the adware-laced apps was also found, along with a video tutorial on another Facebook-focused project, which very kindly contained the student’s image and led to his Facebook page.
ESET then took advantage of the university’s poor cybersecurity and found the malicious actor’s birth date, his university ID number and some exam grades.
The student also has ads in place in Apple’s App Store, but none was malicious.
That cannot be said about the Android apps this person developed.
All the malicious apps followed the same formula once they were downloaded.
The first action was to contact the command and control server. The C&C IP address is base64-encoded into the app, and the app passes along to the server the device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and Developer mode-enabled, and whether Facebook and FB Messenger are installed.
Once this info is received the C&C server sends configuration data to the app to display the adware ads and to maintain stealth and persistence. The malware also hides from the Google Play security mechanism, which is accomplished by making sure the infected device is not within the range of known IP addresses for Google servers. If the server returns this flag as positive, the app will not trigger the adware payload.
Another method used to avoid being tested by Google is delaying the onset of the first adware by 24 minutes, which should put it outside the 10-minute envelope when a test is usually instituted. Additionally, the app can hide its icon or create a shortcut. That way if the user attempts to remove it, only the shortcut is removed while the app keeps running.
The adware is shown as a full display ad that contains either a Google or Facebook icon to appear legit to the user. The creators did not ignore the backend and hid the code under com.google.xxx package name because some sandboxes whitelest these package names.
“Based solely on open source intelligence, we were able to trace the developer of the Ashas adware and establish his identity and discover additional related adware-infected apps. Seeing that the developer did not take any measures to protect his identity, it seems likely that his intentions weren’t dishonest at first – and this is also supported by the fact that not all his published apps contained unwanted ads,” ESET said.