A Vietnamese student has been identified as the author of 42 malware-containing apps on Google’s Play Store.
The apps containing malware began appearing in July 2018, and some of them have had up to 8 million downloads.
The common feature of all the 42 apps is that they all contain a kind of new adware.
After installing the apps containing adware, this malicious code affects users' devices. Specifically, the malicious code will insert ads into the devices. When users open the multi-tasking interface to switch between apps, the malware will display ads on the application's avatar.
This will not only consume users’ data, but also affect the devices’ performance since there are hidden threads that keep victims’ devices in contact with the servers that provide ads.
|The apps containing malware began appearing in July 2018, and some of them have had up to 8 million downloads.|
In addition, this also causes Android phones to suddenly light up and displayads even though the device is locked.
These apps can deceive Google app censorship in a fairly sophisticated way. Initially, when starting the application containing malicious code for the first time, the culprit's server receives the information needed to determine the type of ad to display including the hostname, operating system version, machine language, free memory capacity, battery status and the applications in use.
This is the normal information that many other apps also collect and that Google will accept. After that, the apps will keep contact with hackers’ servers. If the connections to the hackers’ servers include IPs from Google, this means that the apps are being tested by Google. If so, the malware-containing app will operate normally and no ads will be displayed.
If the connections are from other IPs, the app will display ads at random intervals, mostly 24 minutes after the devices’ screens are locked. In general, Google needs less than 10 minutes to examine apps, and the 42 apps can easily escape security examinations.
The first apps posted on Google did not contain malware. But later, the culprit inserted malware into users’ devices through apps’ updated versions.
Realizing the common characteristic of the 42 apps, ESET security experts conducted an investigation and found the author of all the 42 apps is a student at a university in Hanoi.
At first, they checked the source code of apps and found the address of servers that the app kept in touch with. After checking the information about the owners of server domain names, ESET received the email addresses and phone numbers of the person registering domain names. All were in Vietnam.
After conducting a series of other operations, ESSET found the male student. His Youtube and Facebook also show articles guiding the use of adware containing apps.
Many Vietnamese pay a fee to have their Facebook accounts protected, but experts have recommended against it.