The student is the author of at least 42 Android apps that have been uploaded on the official Google Play Store. The apps, installed more than eight million times, contained a new strain of Android adware that ESET codenamed Ashas (Android/AdDisplay.Ashas).
ESET said that not all apps contained the aggressive Ashas adware in their initial versions and that at one point, the developer decided to turn from a legitimate app development business into an adware operation.
At that point, the apps received updates with the Ashas adware code. This code worked by showing fullscreen ads overlaid on top of other apps.
The developer did a good job of disguising the origin of these ads. ESET said the ads would appear more than 24 minutes after a user interacted with an infected app and would often bare the logos of other apps -- such as, for example, the Google Play Store app.
Per ESET's investigation, since July 2018, the Vietnamese student created and uploaded 42 apps on the Play Store that contained the Ashas code, with 21 still available for download when researchers discovered his operation.
"We reported the apps to the Google security team and they were swiftly removed," ESET said. "However, the apps are still available in third-party app stores."
Adware author took no precautions to hide identity
As for how ESET tracked these apps to the Vietnamese student, this has to do with the sudden change in plans from the apps' author.
Because the student started off by publishing legitimate and clean apps, he took no precautions to hide his identity in the early versions of his apps.
ESET was able to link emails he used to register adware domains to personal accounts on GitHub, then YouTube, and then finally Facebook. A step-by-step recount on how ESET tracked down the Ashas author is available in the company's report.
Chances are that no legal consequences will befall on the Vietnamese student. Law enforcement agencies rarely go after ad fraud, and when they do, they go after the big fish, the ones that steal millions, rather than a rinky-dink operation like this.
Nevertheless, users should check the apps below and remove any, if still present on their devices.