{
	"id": "28a9f476-745c-4347-8a2b-129a17e21d5d",
	"created_at": "2026-04-06T00:11:46.783728Z",
	"updated_at": "2026-04-10T03:30:33.291817Z",
	"deleted_at": null,
	"sha1_hash": "e15fc060ecb69ea77fdc338d67d5fed7a4be50b2",
	"title": "Tracking down the developer of Android adware affecting millions of users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5124564,
	"plain_text": "Tracking down the developer of Android adware affecting millions of\r\nusers\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 13:55:59 UTC\r\nWe detected a large adware campaign running for about a year, with the involved apps installed eight million times from\r\nGoogle Play alone.\r\nWe identified 42 apps on Google Play as belonging to the campaign, which had been running since July 2018. Of those,\r\n21 were still available at the time of discovery. We reported the apps to the Google security team and they were swiftly\r\nremoved. However, the apps are still available in third-party app stores. ESET detects this adware, collectively, as\r\nAndroid/AdDisplay.Ashas.\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 1 of 17\n\nFigure 1. Apps of the Android/AdDisplay.Ashas family reported to Google by ESET\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 2 of 17\n\nFigure 2. The most popular member of the Android/AdDisplay.Ashas family on Google Play was “Video downloader\r\nmaster” with over five million downloads\r\nAshas functionality\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 3 of 17\n\nAll the apps provide the functionality they promise, besides working as adware. The adware functionality is the same in\r\nall the apps we analyzed. [Note: The analysis of the functionality below describes a single app, but applies to all apps of\r\nthe Android/AdDisplay.Ashas family.]\r\nOnce launched, the app starts to communicate with its C\u0026C server (whose IP address is base64-encoded in the app). It\r\nsends “home” key data about the affected device: device type, OS version, language, number of installed apps, free\r\nstorage space, battery status, whether the device is rooted and Developer mode enabled, and whether Facebook and FB\r\nMessenger are installed.\r\nFigure 3. Sending information about the affected device\r\nThe app receives configuration data from the C\u0026C server, needed for displaying ads, and for stealth and resilience.\r\nFigure 4. Configuration file received from the C\u0026C server\r\nAs for stealth and resilience, the attacker uses a number of tricks.\r\nFirst, the malicious app tries to determine whether it is being tested by the Google Play security mechanism. For this\r\npurpose, the app receives from the C\u0026C server the isGoogleIp flag, which indicates whether the IP address of the affected\r\ndevice falls within the range of known IP addresses for Google servers. If the server returns this flag as positive, the app\r\nwill not trigger the adware payload.\r\nSecond, the app can set a custom delay between displaying ads. The samples we have seen had their configuration set to\r\ndelay displaying the first ad by 24 minutes after the device unlocks. This delay means that a typical testing procedure,\r\nwhich takes less than 10 minutes, will not detect any unwanted behavior. Also, the longer the delay, the lower the risk of\r\nthe user associating the unwanted ads with a particular app.\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 4 of 17\n\nThird, based on the server response, the app can also hide its icon and create a shortcut instead. If a typical user tries to get\r\nrid of the malicious app, chances are that only the shortcut ends up getting removed. The app then continues to run in the\r\nbackground without the user’s knowledge. This stealth technique has been gaining popularity among adware-related\r\nthreats distributed via Google Play.\r\nFigure 5. Time delay to postpone displaying ads implemented by the adware\r\nOnce the malicious app receives its configuration data, the affected device is ready to display ads as per the attacker’s\r\nchoice; each ad is displayed as a full screen activity. If the user wants to check which app is responsible for the ad being\r\ndisplayed, by hitting the “Recent apps” button, another trick is used: the app displays a Facebook or Google icon, as seen\r\nin Figure 6. The adware mimics these two apps to look legitimate and avoid suspicion – and thus stay on the affected\r\ndevice for as long as possible.\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 5 of 17\n\nFigure 6. The adware activity impersonates Facebook (left). If the user long-presses the icon, the name of the app\r\nresponsible for the activity is revealed (right).\r\nFinally, the Ashas adware family has its code hidden under the com.google.xxx package name. This trick – posing as a part\r\nof a legitimate Google service – may help avoid scrutiny. Some detection mechanisms and sandboxes may whitelist such\r\npackage names, in an effort to prevent wasting resources.\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 6 of 17\n\nFigure 7. Malicious code hidden in a package named “com.google”\r\nHunting down the developer\r\nUsing open-source information, we tracked down the developer of the adware, who we also identified as the campaign’s\r\noperator and owner of the C\u0026C server. In the following paragraphs, we outline our  efforts to discover other applications\r\nfrom the same developer and protect our users from it.\r\nFirst, based on information that is associated with the registered C\u0026C domain, we identified the name of the registrant,\r\nalong with further data like country and email address, as seen in Figure 8.\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 7 of 17\n\nFigure 8. Information about the C\u0026C domain used by the Ashas adware\r\nKnowing that the information provided to a domain registrar might be fake, we continued our search. The email address\r\nand country information drove us to a list of students attending a class at a Vietnamese university – corroborating the\r\nexistence of the person under whose name the domain was registered.\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 8 of 17\n\nFigure 9. A university class student list including the C\u0026C domain registrant\r\nDue to poor privacy practices on the part of our culprit’s university, we now know his date of birth (probably: he\r\nseemingly used his birth year as part of his Gmail address, as further partial confirmation), we know that he was a student\r\nand what university he attended. We were also able to confirm that the phone number he provided to the domain registrar\r\nwas genuine. Moreover, we retrieved his University ID; a quick googling showed some of his exam grades. However, his\r\nstudy results are out of the scope of our research.\r\nBased on our culprit’s email address, we were able to find his GitHub repository. His repository proves that he is indeed\r\nan Android developer, but it contained no publicly available code of the Ashas adware at the time of writing of this\r\nblogpost.\r\nHowever, a simple Google search for the adware package name returned a “TestDelete” project that had been available in\r\nhis repository at some point\r\nThe malicious developer also has apps in Apple’s App Store. Some of them are iOS versions of the ones removed from\r\nGoogle Play, but none contain adware functionality.\r\nFigure 10. The malicious developer’s apps published on the App Store which don’t contain the Ashas adware\r\nSearching further for the malicious developer’s activities, we also discovered his Youtube channel propagating the Ashas\r\nadware and his other projects. As for the Ashas family, one of the associated promotional videos, “Head Soccer World\r\nChampion 2018 - Android, ios” was viewed almost three million times and two others reached hundreds of thousands of\r\nviews, as seen in Figure 11.\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 9 of 17\n\nFigure 11. YouTube channel of the malicious developer\r\nHis YouTube channel provided us with another valuable piece of information: he himself features in a video tutorial for\r\none of his other projects. Thanks to that project, we were able to extract his Facebook profile – which lists his studies at\r\nthe aforementioned university.\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 10 of 17\n\nFigure 12. Facebook profile of the C\u0026C domain registrar (cover picture and profile picture edited out)\r\nLinked on the malicious developer’s Facebook profile, we discovered a Facebook page, Minigameshouse, and an\r\nassociated domain, minigameshouse[.]net. This domain is similar to the one the malware author used for his adware C\u0026C\r\ncommunication, minigameshouse[.]us.\r\nChecking this Minigameshouse page further indicates that this person is indeed the owner of the minigameshouse[.]us\r\ndomain: the phone number registered with this domain is the same as the phone number appearing on the Facebook page.\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 11 of 17\n\nFigure 13. Facebook page managed by the C\u0026C domain registrant uses the same base domain name (minigameshouse)\r\nand phone number as the registered malicious C\u0026C used by the Ashas adware\r\nOf interest is that on the Minigameshouse Facebook page, the malicious developer promotes a slew of games beyond the\r\nAshas family for download on both Google Play and the App Store. However, all of those have been removed from\r\nGoogle Play – despite the fact that some of them didn’t contain any adware functionality.\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 12 of 17\n\nOn top of all this, one of the malicious developer’s YouTube videos – a tutorial on developing an “Instant Game” for\r\nFacebook – serves as an example of operational security completely ignored. We were able to see that his recently visited\r\nweb sites were Google Play pages belonging to apps containing the Ashas adware. He also used his email account to log\r\ninto various services in the video, which identifies him as the adware domain owner, beyond any doubt.\r\nThanks to the video, we were even able to identify three further apps that contained adware functionality and were\r\navailable on Google Play.\r\nFigure 14. Screenshots from this developer’s YouTube video shows history of checking Ashas adware on Google Play\r\nESET telemetry\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 13 of 17\n\nFigure 15. ESET detections of Android/AdDisplay.Ashas on Android devices by country\r\nIs adware harmful?\r\nBecause the real nature of apps containing adware is usually hidden to the user, these apps and their developers should be\r\nconsidered untrustworthy. When installed on a device, apps containing adware may, among other things:\r\nAnnoy users with intrusive advertisements, including scam ads\r\nWaste the device’s battery resources\r\nGenerate increased network traffic\r\nGather users’ personal information\r\nHide their presence on the affected device to achieve persistence\r\nGenerate revenue for their operator without any user interaction\r\nConclusion\r\nBased solely on open source intelligence, we were able to trace the developer of the Ashas adware and establish his\r\nidentity and discover additional related adware-infected apps. Seeing that the developer did not take any measures to\r\nprotect his identity, it seems likely that his intentions weren’t dishonest at first – and this is also supported by the fact that\r\nnot all his published apps contained unwanted ads.\r\nAt some point in his Google Play “career”, he apparently decided to increase his ad revenue by implementing adware\r\nfunctionality in his apps’ code. The various stealth and resilience techniques implemented in the adware show us that the\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 14 of 17\n\nculprit was aware of the malicious nature of the added functionality and attempted to keep it hidden.\r\nSneaking unwanted or harmful functionality into popular, benign apps is a common practice among “bad” developers, and\r\nwe are committed to tracking down such apps. We report them to Google and take other steps to disrupt malicious\r\ncampaigns we discover. Last but not least, we publish our findings to help Android users protect themselves.\r\nIndicators of Compromise (IoCs)\r\nPackage name Hash Installs\r\ncom.ngocph.masterfree c1c958afa12a4fceb595539c6d208e6b103415d7 5,000,000+\r\ncom.mghstudio.ringtonemaker 7a8640d4a766c3e4c4707f038c12f30ad7e21876 500,000+\r\ncom.hunghh.instadownloader 8421f9f25dd30766f864490c26766d381b89dbee 500,000+\r\ncom.chungit.tank1990 237f9bfe204e857abb51db15d6092d350ad3eb01 500,000+\r\ncom.video.downloadmasterfree 43fea80444befe79b55e1f05d980261318472dff 100,000+\r\ncom.massapp.instadownloader 1382c2990bdce7d0aa081336214b78a06fceef62 100,000+\r\ncom.chungit.tankbattle 1630b926c1732ca0bb2f1150ad491e19030bcbf2 100,000+\r\ncom.chungit.basketball 188ca2d47e1fe777c6e9223e6f0f487cb5e98f2d 100,000+\r\ncom.applecat.worldchampion2018 502a1d6ab73d0aaa4d7821d6568833028b6595ec 100,000+\r\norg.minigamehouse.photoalbum a8e02fbd37d0787ee28d444272d72b894041003a 100,000+\r\ncom.mngh.tuanvn.fbvideodownloader 035624f9ac5f76cc38707f796457a34ec2a97946 100,000+\r\ncom.v2social.socialdownloader 2b84fb67519487d676844e5744d8d3d1c935c4b7 100,000+\r\ncom.hikeforig.hashtag 8ed42a6bcb14396563bb2475528d708c368da316 100,000+\r\ncom.chungit.heroesjump c72e92e675afceca23bbe77008d921195114700c 100,000+\r\ncom.mp4.video.downloader 61E2C86199B2D94ABF2F7508300E3DB44AE1C6F1 100,000+\r\ncom.videotomp4.downloader 1f54e35729a5409628511b9bf6503863e9353ec9 50,000+\r\nboxs.puzzles.Puzzlebox b084a07fdfd1db25354ad3afea6fa7af497fb7dc 50,000+\r\ncom.intatwitfb.download.videodownloader 8d5ef663c32c1dbcdd5cd7af14674a02fed30467 50,000+\r\ncom.doscreenrecorder.screenrecorder e7da1b95e5ddfd2ac71587ad3f95b2bb5c0f365d 50,000+\r\ncom.toptools.allvideodownloader 32E476EA431C6F0995C75ACC5980BDBEF07C8F7F 50,000+\r\ncom.top1.videodownloader a24529933f57aa46ee5a9fd3c3f7234a1642fe17 10,000+\r\ncom.santastudio.headsoccer2 86d48c25d24842bac634c2bd75dbf721bcf4e2ea 10,000+\r\ncom.ringtonemakerpro.ringtonemakerapp2019 5ce9f25dc32ac8b00b9abc3754202e96ef7d66d9 10,000+\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 15 of 17\n\nPackage name Hash Installs\r\ncom.hugofq.solucionariodebaldor 3bb546880d93e9743ac99ad4295ccaf982920260 10,000+\r\ncom.anit.bouncingball 6e93a24fb64d2f6db2095bb17afa12c34b2c8452 10,000+\r\ncom.dktools.liteforfb 7bc079b1d01686d974888aa5398d6de54fd9d116 10,000+\r\nnet.radiogroup.tvnradio ba29f0b4ad14b3d77956ae70d812eae6ac761bee 10,000+\r\ncom.anit.bouncingball 6E93A24FB64D2F6DB2095BB17AFA12C34B2C8452 10,000+\r\ncom.floating.tube.bymuicv 6A57D380CDDCD4726ED2CF0E98156BA404112A53 10,000+\r\norg.cocos2dx.SpiderSolitaireGames adbb603195c1cc33f8317ba9f05ae9b74759e75b 5,000+\r\ngames.puzzle.crosssum 31088dc35a864158205e89403e1fb46ef6c2c3cd 5,000+\r\ndots.yellow.craft 413ce03236d3604c6c15fc8d1ec3c9887633396c 5,000+\r\ncom.tvngroup.ankina.reminderWater 5205a5d78b58a178c389cd1a7b6651fe5eb7eb09 5,000+\r\ncom.hdevs.ringtonemaker2019 ba5a4220d30579195a83ddc4c0897eec9df59cb7 5,000+\r\ncom.carlosapps.solucionariodebaldor 741a95c34d3ad817582d27783551b5c85c4c605b 5,000+\r\ncom.mngh1.flatmusic 32353fae3082eaeedd6c56bb90836c89893dc42c 5,000+\r\ncom.tvn.app.smartnote ddf1f864325b76bc7c0a7cfa452562fe0fd41351 1,000+\r\ncom.thrtop.alldownloader f46ef932a5f8e946a274961d5bdd789194bd2a7d 1,000+\r\ncom.anthu91.soccercard 0913a34436d1a7fcd9b6599fba64102352ef2a4a 1,000+\r\ncom.hugofq.wismichudosmildiecisiete 4715bd777d0e76ca954685eb32dc4d16e609824f 1,000+\r\ncom.gamebasketball.basketballperfectshot e97133aaf7d4bf90f93fefb405cb71a287790839 1,000+\r\ncom.nteam.solitairefree 3095f0f99300c04f5ba877f87ab86636129769b1 100+\r\ncom.instafollowers.hiketop 3a14407c3a8ef54f9cba8f61a271ab94013340f8 1+\r\nC\u0026C server\r\nhttp://35.198.197[.]119:8080\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1475\r\nDeliver Malicious App\r\nvia Authorized App\r\nStore\r\nThe malware impersonates legitimate services on Google Play\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 16 of 17\n\nTactic ID Name Description\r\nPersistence T1402\r\nApp Auto-Start at\r\nDevice Boot\r\nAn Android application can listen for the BOOT_COMPLETED\r\nbroadcast, ensuring that the app's functionality will be activated\r\nevery time the device starts\r\nImpact T1472\r\nGenerate Fraudulent\r\nAdvertising Revenue\r\nGenerates revenue by automatically displaying ads\r\nKudos to @jaymin9687 for bringing the problem of unwanted ads in the “Video downloader master” app to our attention.\r\nSource: https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nhttps://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"
	],
	"report_names": [
		"tracking-down-developer-android-adware"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434306,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e15fc060ecb69ea77fdc338d67d5fed7a4be50b2.pdf",
		"text": "https://archive.orkl.eu/e15fc060ecb69ea77fdc338d67d5fed7a4be50b2.txt",
		"img": "https://archive.orkl.eu/e15fc060ecb69ea77fdc338d67d5fed7a4be50b2.jpg"
	}
}