
I tracked down developer of Android adware affecting millions of users - ridobok
https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/
======
aiCeivi9
> First, the malicious app tries to determine whether it is being tested by
> the Google Play security mechanism. For this purpose, the app receives from
> the C&C server the isGoogleIp flag, which indicates whether the IP address
> of the affected device falls within the range of known IP addresses for
> Google servers. If the server returns this flag as positive, the app will
> not trigger the adware payload.

I can't believe something so simple worked so well.

