AirPush¶
Aggressive advertising SDK that became one of the most prevalent Android adware detections of 2012-2015. At its peak in Q2 2015, AirPush accounted for 49% of all Android detections (Quick Heal). Embedded in ~90,000 apps, it delivered push notification ads, icon ads on the home screen, and silently collected IMEI, location, and contacts. AirPush won "Best Mobile Ad Network" at the 2012 Mobile Excellence Awards while paying $4M/month to developers.
Overview¶
| Property | Value |
|---|---|
| First Seen | ~2012 |
| Type | Aggressive advertising SDK / Adware |
| Attribution | AirPush Inc. (legitimate ad company) |
| Aliases | Adware:Android/Airpush (F-Secure), Trojan:Android/Airpush (F-Secure, malicious variants) |
Distribution¶
Bundled as a third-party ad SDK inside free apps on Google Play and third-party stores. At peak, embedded in approximately 90,000 apps.
Capabilities¶
| Capability | Implementation |
|---|---|
| Push notification ads | Ads delivered even when the host app was not running |
| Home screen icon ads | Created ad shortcuts on the home screen |
| Data collection | IMEI, location, contacts silently harvested |
| Bookmark creation | Added advertising bookmarks to browser |
| Banner/interstitial ads | Standard ad formats within apps |
Significance¶
AirPush straddles the line between legitimate ad network and malware. Some vendors classified it as adware/PUA, while others flagged more aggressive variants as trojans. It became a poster child for the aggressive mobile advertising practices that led to Google Play policy changes restricting push notification ads and home screen modifications.
The phenomenon AirPush represents is documented further in grayware and data broker SDKs.