Aggressive adware which can wait several weeks before triggering
We can see the main process cardgame.durak reading the file ads_settings.json to configure itself. We also see that the process is connecting to a lot of IP adresses. Some of those IP are contacted by the originating game itself to retrieve fair ads and most of them are contacted by the malware to download malicious ads. The IP adresses shared between cardgame.durak and android.browser are connections opened when agressive ads are displayed in fullscreen. We notice that the malware saves its history in a local directory, producing a lot of log files.