The research team at ESET recently detected a large adware campaign running for about a year, with the involved apps installed eight million times from Google Play alone.

ESET detects this adware, collectively, as Android/AdDisplay.Ashas. (Refer Figure 1)

“We identified 42 apps on Google Play as belonging to this adware campaign, with 21 still available at the time of discovery. We reported the apps to the Google security team and they were swiftly removed. However, the apps are still available in third-party app stores,” said Lukáš Štefanko, ESET malware researcher, in the blog post.

He added that, “The apps provide the functionality they promise – including video downloading, simple gaming and radio play – besides working as adware. The adware functionality is the same in all the apps we analyzed.”

The malicious developer also has apps in Apple’s App Store. Some of them are iOS versions of the ones removed from Google Play, but none contain adware functionality, as noted at the time of writing this blog post. (Refer Figure 2)

Figure 2. The malicious developer’s apps published on the App Store which don’t contain the Ashas adware
Source: welivesecurity.com

Ashas Functionality

The apps affected by the Ashas adware use several tricks to reach users’ devices and remain undetected: checking for Google Play’s security testing mechanism; delaying the display of ads until well after the device is unlocked; hiding their icons and creating shortcuts instead. Let’s learn how the Ashas adware works, as explained by ESET researchers.

Once launched, the malicious app starts to communicate with its C&C server (whose IP address is base64-encoded in the app). It sends “home” key data about the affected device: device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and Developer mode enabled, and whether Facebook and FB Messenger are installed.

The malicious app then receives configuration data from the C&C server, needed for displaying ads, and for stealth and resilience.

Once the malicious app receives its configuration data, the affected device is ready to display ads as per the attacker’s choice.

The ads delivered by the adware are displayed as full-screen activity. If the user wants to check which app is responsible for the ad being displayed, the app impersonates Facebook or Google, as seen in Figure 3. “The adware mimics these two apps to look legitimate and avoid suspicion – and thus stay on the affected device for as long as possible,” explained Lukáš Štefanko in the blog post.


Figure 3. The adware activity impersonates Facebook (left). If the user long-presses the icon, the name of the app responsible for the activity is revealed (right).

He further elaborated that, “Another point of interest is that the Ashas adware family has hidden its code under the com.google.xxx package name.  Posing as part of a legitimate Google service may help avoid scrutiny. Some detection mechanisms and sandboxes may whitelist such package names in an effort to prevent wasting resources.”

Hunting down the developer

Using open-source information, the research team at ESET managed to track down the developer of the Ashas adware, whom they also identified as the campaign’s operator and owner of the C&C server.

Based on information that is associated with the registered C&C domain, it was easy to identify the name of the registrant, along with further data like country and email address.

Searching further for the malicious developer’s activities, ESET researchers found about his YouTube Channel that’s being used to propagate the Ashas adware and his other projects. As for the Ashas family, one of the associated promotional videos, “Head Soccer World Champion 2018 – Android, iOS” was viewed almost three million times and two others reached hundreds of thousands of views, as seen in Figure 4.


Figure 4. YouTube channel of the malicious developer

The researchers were also able to extract the malicious developer’s Facebook profile. Going through his FB profile, researchers found a Facebook page – Minigameshouse, and an associated domain – minigameshouse[.]net.

The malicious developer has been using his Minigameshouse FB page to promote a slew of games beyond the Ashas family for download on both Google Play and the App Store. However, all of those have been removed from Google Play – despite the fact that some of them didn’t contain any adware functionality, as mentioned in the blog post.

Is adware harmful?

As mentioned by ESET researchers in the blog post, “Because the real nature of apps containing adware is usually hidden to the user, these apps and their developers should be considered untrustworthy”. When installed on a device, apps containing Ashas adware may, among other things:

  • Annoy users with intrusive advertisements, including scam ads
  • Waste the device’s battery resources
  • Generate increased network traffic
  • Gather users’ personal information
  • Hide their presence on the affected device to achieve persistence
  • Generate revenue for their operator without any user interaction