Yet Another Google Play Store App Adware Campaign Ensnared Millions Of Android Users
Adware is rampant in app stores. Google, Apple, and others frequently take down malicious apps, but it can be difficult to determine who published these apps in the first place. ESET researchers recently discovered not only a year-long adware campaign, but the developer behind it.
ESET researchers found a total of 42 apps with similar adware on Google Play. The campaign had been running since 2018 and the apps were installed over 8 million times. Many of the apps had already been removed and the researchers reported the remaining outliers to Google. These apps have now all been deleted from the Google Play Store, but you may still find them in third-party app stores. You can find a complete list of package names here. The most popular package name appears to be “com.ngocph.masterfree”, which was installed over 5 million times.
The app would communicate with a C&C server and share information about the affected device. This information included the “device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and Developer mode enabled, and whether Facebook and FB Messenger are installed.”
The malicious app would then test Google’s security system to make sure that they would go undetected. The apps would delay ads, hide their icons to prevent being deleted, and hide their code under a “com.google.xxx” package name. The app would even display a Google or Facebook icon if the user tried to find out where the unwanted ad was coming from.
The ESET researchers were also able to find the developer behind the adware. The developer was also the owner of the C&C server and the one responsible for the adware campaign. The researchers were able to determine that the person who the domain was registered under was a student at a Vietnamese university. They were also able to find the developer’s YouTube channel, Facebook profile, GitHub repository, and a few academic grades.
The developer has worked on a number of projects, but many do not contain malicious adware. The researchers argue that the developer likely did not first intend to release adware, but was later tempted by the potential for increased ad revenue. The developer appears to have taken steps over the last few weeks to make their information less public. Let’s hope that they have also learned an important lesson about using one’s abilities for good.
Google recently deleted 15 other apps that contained adware from a different developer. These apps were installed more than 1.3 million times and would cause faux “crashes” on affected devices. The battle against adware sometimes feels endless, but Google and other researchers do appear to be making a few strides.
ESET researchers found a total of 42 apps with similar adware on Google Play. The campaign had been running since 2018 and the apps were installed over 8 million times. Many of the apps had already been removed and the researchers reported the remaining outliers to Google. These apps have now all been deleted from the Google Play Store, but you may still find them in third-party app stores. You can find a complete list of package names here. The most popular package name appears to be “com.ngocph.masterfree”, which was installed over 5 million times.
The app would communicate with a C&C server and share information about the affected device. This information included the “device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and Developer mode enabled, and whether Facebook and FB Messenger are installed.”
The malicious app would then test Google’s security system to make sure that they would go undetected. The apps would delay ads, hide their icons to prevent being deleted, and hide their code under a “com.google.xxx” package name. The app would even display a Google or Facebook icon if the user tried to find out where the unwanted ad was coming from.
The ESET researchers were also able to find the developer behind the adware. The developer was also the owner of the C&C server and the one responsible for the adware campaign. The researchers were able to determine that the person who the domain was registered under was a student at a Vietnamese university. They were also able to find the developer’s YouTube channel, Facebook profile, GitHub repository, and a few academic grades.
The developer has worked on a number of projects, but many do not contain malicious adware. The researchers argue that the developer likely did not first intend to release adware, but was later tempted by the potential for increased ad revenue. The developer appears to have taken steps over the last few weeks to make their information less public. Let’s hope that they have also learned an important lesson about using one’s abilities for good.
Google recently deleted 15 other apps that contained adware from a different developer. These apps were installed more than 1.3 million times and would cause faux “crashes” on affected devices. The battle against adware sometimes feels endless, but Google and other researchers do appear to be making a few strides.
