Researchers from ESET, a renowned antivirus and internet security solutions company, have found 42 adware apps that have bypassed Google’s app checking process and are there on Google Play Store, racking up millions of downloads. We detected a large adware campaign running for about a year, with the involved apps installed eight million times from Google Play alone,” ESET researcher Lukas Stefanko mentioned on the We Live Security (ESET) website.
It has also been mentioned that at the time of discovery, 21 of these apps were still there on Google Play Store. Some other apps can be downloaded and installed via third-party app stores. ESET classifies this adware as Android/AdDisplay.Ashas. Some of these 21 apps included are Smart Gallery (by Uranium), SaveInsta (by Uranium), Heroes Jump (by JJDO TK), Flat Music Player (by Uranium), Video downloader master (by Typhu Team) and others.
ESET states that all these apps work as intended in addition to working as adware. When the user installs the apps and launches it, the app sends smartphone data to its servers such as device type, OS version, language, number of installed apps, free storage space, battery status, if the device is on Developer mode and if Facebook and FB Messenger apps are downloaded on it or not.
There were three major ways how these apps were able to go stealth and bypass Google’s security layer.
The first method had the malicious app determining if it is being tested by Google Play security mechanism. The app receives ‘isGoogleIp’ flag, determining if the handset falls in the range of known IP addresses for Google servers. If yes, the app doesn’t trigger the adware.
The second method included the app to set a custom delay between displaying two ads. The app could set the delay by up to 24 minutes. This resulted in the app bypassing the testing procedure, which takes under 10 minutes. The longer the delay between ads, the more chance of it being slipping the security procedure.
The third method of bypassing was based on the server response. With this, the app could hide its icon and create a shortcut instead. This means that if a user tried to delete the adware app, he/she would end up removing just the shortcut and not the main app, which continues to run in the background. Also mentioned is that at times the app shows the icon of Google Play Store when a user tried to close it from the ‘Recents’ tab.
What can the adware apps do to your smartphones?
While the original intention of this adware was not revealed, the adware apps in general can result in faster battery drains, tricking users into clicking on the scam ads, increased network traffic, gather personal information among others.
The report even states that they dug out some information about the owner of the servers and the apps. It was discovered that he is an Android developer, has a YouTube channel, Facebook page and is a student from a Vietnamese university.
