ESET researchers discovered a family of 42 apps, dubbed the Ashas family, that were originally designed as legitimate apps but later updated to provide fullscreen advertisements to users and exfiltration of some basic device data. The original functionality, such as photo viewers, video downloaders, music apps, and games still exists but with the malicious activity included as well. The adware campaign had been active since July 2018 with over 8 million downloads and half of the apps still available on the Play store at the time of discovery. Since the researchers reported their findings, the remaining apps have been removed.
The apps use a command and control (C&C) server to send device information such as type, version of the operating system, language, installed apps, free storage space, and other fingerprinting data. The app is then configured from the C&C server and also includes ways of avoiding detection. First, the app can detect if it is being run on a Google server and therefore will not run the adware payload. Next, a custom delay can be set so that ads are displayed well after starting the app (a half-hour later, for instance) so that the user doesn’t associate the ad behavior with that particular app. Ashas apps can also display a different icon when users try to determine which app is showing the ad, usually hiding as Google or Facebook. Finally, the app installs a shortcut in the app menu instead of the icon itself so that when a user tries to delete it, they are removing only the shortcut and the app continues to run in the background.
ESET researchers managed to track down the author of the Ashas apps, a university student in Vietnam. They backtracked from the IP address of the C&C server to the owner information, then to university information and eventually the author’s YouTube channel and personal Facebook page. All of the information was publicly-available open-source data, showing that the author didn’t try to cover his tracks. This leads the researchers to believe that the developer started honestly when creating the apps and then later decided to turn to malicious behavior.