ESET experts calculated the author of 42 applications that were hosted on Google Play and showed users intrusive advertising. In total, applications containing adware Android / AdDisplay.Ashas have been installed more than 8,000,000 times.
Researchers write that applications were not immediately infected with Ashas. Obviously, the malware appeared in the code over time, when the developer decided to turn his legitimate application development business into a not entirely legal advertising business, showing users full-screen ads on top of other application windows.
The developer has made efforts to mask the malicious activity of his products. So, an advertisement began to appear no earlier than 24 minutes after interacting with an infected application and often tried to mislead the victim, as it contained logos of other applications, for example, the Google Play Store.
According to ESET, a student from Vietnam is behind the development of 42 infected applications, whose name the researchers did not disclose. He started uploading the malware into the official catalog in July 2018, and at the time of the discovery of the threat by the researchers, 21 applications were still active.
Since the student began by developing and publishing “clean” applications, he did not take any precautions to hide his identity in earlier versions of his products. As a result, the experts managed to associate the email addresses that he used to register advertising domains with his personal accounts on GitHub, YouTube and, ultimately, on Facebook.
Currently, all ad applications have been removed from Google Play. But it is not known whether a Vietnamese student will face the consequences of their actions, because law enforcement agencies rarely deal with cases of advertising fraud (and if they do, they will prosecute large players who steal millions of dollars).