Don’t we all love to see ads? Especially when they pop up on our screen when we are doing something really important. Ah! Ads are just so pleasing, aren’t they?
Okay, enough of the sarcasm. If you share a biased hatred towards ads, then you are going to find a sweet sense of revenge in this news.
‘Ashas’ adware family busted!
- 42 apps on Google Play store have been found to contain adware.
- These apps have around 8 million downloads.
- They are all linked back to a Vietnamese student (who didn’t hide his identity very well, obviously)
- They do what they say they do (video downloader, ringtone maker and blah blah) but they also start showing unwanted ads to the user.
- They send the user’s data to the perpetrator’s command and control server. (Not cool, right?)
- The C&C server then sends configuration data to the apps in order for them to display full screen ads and avoid scrutiny.
- The apps have been taken down by Google after they were reported. Sweet!
How were they getting by till now?
The bad actor (the Vietnamese student) used a lot of tricks to hide the fact that the apps had adware in them. But apparently he forgot to hide his own identity. Beginners, right?
- The apps first checked the victim’s IP address to run it by a list of Google servers’ IP addresses. If nothing matched, then the app deemed it safe to unload the adware.
- The apps had a delay mechanism in place which allowed for a certain time to lapse between downloading the app and displaying the first ad. This prevented users from instantly labelling the app with adware.
- The app was automatically creating a shortcut of itself on the device so that even if a victim tried to uninstall it through the icon, it would only remove the shortcut while the actual app kept running in the background.
- If a user tried to confirm which app was unloading unnecessary ads by tapping the ‘Recent Apps’ button, the app would show Facebook or Google icon to deceive the user.
- The code of all these apps was hiding under com.google.xxx package name to spoof detection applications by pretending to be a trusted party.
How did this guy get caught?
OSINT! We hope you know what OSINT is. (It’s really cool, btw). It is short for open source intelligence and you could find more about it here because, well..it deserves a whole separate blog post. Okay?
Anyway, so the researchers followed the domain related to all these apps and found that the registration details had information like the name and email ID of this guy.
They dug some more and confirmed that the Vietnamese student was in fact, the one behind this ‘Ashas’ adware family. He even has a YouTube channel promoting his apps which are also on the App Store iOS. Even though the iOS versions do not have adware, we still wouldn’t recommend you download them.
- Do we even need to mention that you should delete these apps (and not just their shortcuts) from your phone, if you happen to have them?
- Do not download apps from developers you do not trust. It’s like taking candy from a stranger!
- Keep reading cybersecurity news once a day. Awareness is the first step to safety.
- Read the full disclosure here. Share this immediately with friends and family who are not that tech savvy and may have downloaded these infected apps.
If you personally know about any adware apps, this is the time to tell everyone. Say it in the comments. (Or just drop a thumbs up if you are happy to hear this news.)
Stay tuned, stay safe.