Single hacker with 50 Adware apps on Google’s Play Store

Cybersecurity experts have found almost 50 apps on the Google Play Store with a total of 10 million users; the scheme was simple: at first, the hacker distributed all the applications as legitimate ones but later updated to maliciously display full-screen advertisements to their users.

During an investigation, cybersecurity experts found that these adware Android applications were developed by a Vietnamese university student.

Experts got him by looking at the available registration details of a domain associated with the adware apps. After this, they immediately give to Google the hacker’s real name, address, and phone number, Facebook, GitHub, and YouTube.

Be aware! Such apps can be found all over Google’s Play Store and can easily trick the user because even if they are malicious the original functionalities are there; which makes things quite difficult for anyone untrained to find anything suspicious.

What is adware?
Adware typically bombards infected devices with advertisements, mostly leading to scam, malicious, and phishing websites.

Adware cyberattack methodology:
In this case, it was used the adware family named “Ashas”;
This adware helps the hacker to connect the end-user code (app) to a remote command-and-control and from there to automatically send basic information to an from the device.

This information is most of the time a configuration data from the C&C server responsible for displaying ads at the hacker’s choice and then applying a number of methods for stealth and resilience.

Method 1:
To hide its malicious functionality from the Google Play cybersecurity solution, the apps first check for the IP address of the infected device, and if the IP is found within the range of known IP addresses for Google servers, the app will not run its adware payload.

Method 2:
To deceive the end-users from making the connection between the unwanted ads with his app, the hacker also used a set of custom delay rules that avoid displaying the ads immediately after the installation of the app.

Method 3:
The apps also hide their icons on the Android phone’s menu and create a shortcut in an attempt to prevent uninstallation.
By using this technique the hacker tricked the user to think that he got rid of the malicious app, by letting him delete only the shortcut; in which case the rogue app continues to run in the background without the user’s knowledge.

Method 4:
If the affected user got suspicious and used the “Recent apps” button to check which app is serving ads, the adware displays Facebook or Google icon to look legitimate and avoid suspicion, tricking him into believing the ads are being displayed by a legitimate service.

Cybersecurity researchers reported the Google security team of his findings, and the company removed the apps in question from its Play Store platform.

How to protect yourself?
If you have downloaded any of the below-listed rogue apps on your Android device, immediately remove it by going into your device settings.

Malicious Apps:
Smart Gallery (Uranium)
SaveInsta (Uranium)
Mini lite for Facebook (HIEN-DEV)
Free Radio FM Online (Juke Studio)
Free Video Download (DINH VIET HUNG)
Free social video downloader (Mini Apps VN)
Fire Downloader (Carmen D. Adkins)
Water Drink Reminder (Carmen D. Adkins)
Smart Notes (Carmen D. Adkins)
DU Recorder (Claure Apps)
Tank classic (mrtcorp)
Heroes Jump (JJDO TK)
Solucianario (CarlosGApps)
Ringtone Maker (CarlosGApps)
Video downloader (TYPHU TEAM)
Flat Music Player (Uranium)
HikeTop+ (Claure Apps)