ESET discovers Android adware affecting millions and tracks down its developer

Next story

BRATISLAVA – ESET researchers have discovered a year-long campaign on Google Play with eight million installs of adware detected by ESET as Android/AdDisplay.Ashas. The research team managed to track down the malware’s developer and discover additional adware-laden apps.

“We identified 42 apps on Google Play as belonging to this adware campaign, with 21 still available at the time of discovery. The Google security team removed all of them based on our report. However, they are still available in third-party app stores,” says Lukáš Štefanko, ESET malware researcher.

The apps provide the functionality they promise – including video downloading, simple gaming and radio play – besides working as adware. “The adware functionality is the same in all the apps we analyzed,” says Štefanko.


The apps use several tricks to reach users’ devices and remain undetected: checking for Google Play’s security testing mechanism; delaying the display of ads until well after the device is unlocked; hiding their icons and creating shortcuts instead.

The ads delivered by the adware are displayed as full-screen activity. If the user wants to check which app is responsible for the ad being displayed, the app impersonates Facebook or Google. “The adware mimics these two apps to look legitimate and avoid suspicion – and thus stay on the affected device for as long as possible,” explains Štefanko.

Another point of interest is that the Ashas adware family has hidden its code under the package name. “Posing as part of a legitimate Google service may help avoid scrutiny. Some detection mechanisms and sandboxes may whitelist such package names in an effort to prevent wasting resources,” elaborates Štefanko.

While analyzing the apps, ESET researchers noticed that the malicious developer left behind many traces. Using open-source information, they tracked down the developer of the adware, whom they also identified as the campaign’s operator and owner of the C&C server. Štefanko notes that “establishing the developer’s identity was a side effect of our hunt for further malware and campaigns.”

While adware might not be as damaging as some other forms of malware, the fact that it can sneak into the official Android app store so easily is disturbing. “Users should protect their devices by sticking with basic cybersecurity principles and using a quality security solution,” recommends ESET’s Štefanko.

For more details, read Lukáš Štefanko’s blog post “Tracking down the developer of Android adware affecting millions of users” at

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit us on or follow us on LinkedInFacebook and Twitter.