Sunday, June 15, 2025
HomeAndroid42 Malicious Android Apps Downloaded 8 Million Times From Google Play That...

42 Malicious Android Apps Downloaded 8 Million Times From Google Play That Infect Users With Malware

Published on

SIEM as a Service

Follow Us on Google News

Researchers found nearly 8 Million Android users infected with adware that hides in the phone and display ads as per the attacker’s command.

Researchers from ESET security identified dozens of apps with such behavior.

In total 43 apps observed on Google play with more than eight million installations, the campaign was tracked since July 2018. All the apps form the same Vietnamese developer.

- Advertisement - Google News

Ashas Adware Functionality

Dubbed Ashas, the adware infected app offers the function they promise, on the other hand, it includes adware functionality and ability to steal data from the infected device.

The malicious applications contain components required to establish communication with the remote server. Once the app installed and launched it establishes communication with the C&C server.

The adware app sends the data of the infected device such as OS version, language, number of installed apps, free storage space, battery status and other details such as rooted/Developer mode and checks Facebook and FB Messenger.

Ashas adware
List of apps

Stefanko, a Security researcher from ESET observed the C&C server sending required configuration data for displaying ads and to stay stealthy and resilience.

Displaying ads – Three-Step Process

In the first step, the malicious app tries to check for the victim’s IP range, if the IP address within the range of Google servers then the app will not trigger the adware payload.

Next to the app setup the time interval between displaying tools and then based on the server response it hides the icon and creates a shortcut.

“Once the malicious app receives its configuration data, the affected device is ready to display ads as per the attacker’s choice; each ad is displayed as a full-screen activity,” reads ESET report.

App Developer Track Down

Stefanko tracked the malicious actor behind the apps by using openly available information, based on the domain used for the C&C server.

The malicious actor behind the campaign was a student at a Vietnamese university, the malicious actor also having apps in Apple’s App Store, a Youtube channel propagating the Ashas adware and a Facebook page.

According to ESET telemetry data, the following are the countries affected with Ashas adware.

Ashas adware
Countries Affected

This adware annoys users by displaying full-screen ads, drain batteries and also harvest information from the infected device. By automatically displaying the adware generate revenue to their operators.

You can find the complete details of IoC here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...

Interpol Dismantles 20,000 Malicious IPs and Domains Tied to 69 Malware Variants

In a landmark global cybercrime crackdown, INTERPOL’s Operation Secure has seen the takedown of...

New Secure Boot Vulnerability Allows Attackers to Install Malware in PC and Server Boot Processes

Security researchers from Binarly have uncovered a major software vulnerability in the Unified Extensible...