MobiDash¶
Long-lived adware SDK tracked by multiple vendors since 2015. MobiDash is distributed by repackaging legitimate APKs with the MobiDash ad module and distributing them through third-party stores. It displays full-screen ads every time the user unlocks their screen and delays execution 3 days to several weeks after installation to evade dynamic analysis sandboxes.
Overview¶
| Property | Value |
|---|---|
| First Seen | January 2015 |
| Type | Adware SDK |
| Attribution | Various operators (distributed as SDK) |
| Aliases | Adware.AndroidOS.Mobidash (Kaspersky), Android/Adware.MobiDash (Malwarebytes) |
Distribution¶
Third-party app stores. Legitimate APKs are repackaged with the MobiDash ad SDK. Also spread through phishing and online links. A notable campaign used fake FaceApp clones (2019).
Capabilities¶
| Capability | Implementation |
|---|---|
| Full-screen ads | Displayed on every screen unlock |
| Delayed execution | Waits 3 days to several weeks before activating |
| Unlock trigger | Registers broadcast receivers for SCREEN_OFF and USER_PRESENT |
| Persistence | Hundreds of variants across different host apps |
Scale¶
Monthly detection volume grew 100%+ between early and late 2025, with a 77% surge September-November 2025. The delayed activation makes sandbox detection difficult since analysis environments typically run samples for minutes to hours, not days.