A new campaign of malicious photo apps on Google Play floods Android devices with random ads instead of functioning as advertised. They also elude detection by making its icon disappear from the device home screen soon after it’s downloaded.
Researchers at the White Ops Satori Threat Intelligence and Research Team discovered the Android apps — 29 in total — which they said “manifested suspiciously high volumes of ad traffic” during threat-hunting investigations, according to a recent report.
The team — comprised of researchers Gabi Cirlig, Michael Gethers, Marion Habiby, Christopher Soo and Dina Haines — called the campaign “ChartreuseBlur,” in part because the majority of apps include the word “blur” in their package name. Many also claim to be photo editors that allow users to blur sections of an image, they said.
There are several key characteristics that can alert users if they’ve fallen victim to downloading one of the bad apps (the apps combined have more than 3.5 million downloads, researchers said).
One of the hallmarks of the app is that once it’s downloaded, it plays “hide and seek” with the device, with the icon disappearing from the home screen, forcing users to go into the Settings menu to find the app if they want to see if it’s been installed or open it. This makes it “very difficult for an average user to remove the app,” they said. Square Photo Blur has since been moved from the Google Play store, researchers added.
Researchers conducted analysis on one of the apps in particular, called Square Photo Blur, finding that its behavior was consistent with all of the malicious apps. They found that once the app is downloaded, it begins bombarding the device with ads, “just appearing out of nowhere,” a phenomenon known as delivering out-of-context (OOC) ads, researchers said.
Another hallmark of the apps in the campaign is that all of the developers listed for the apps have random, English-sounding names that are clearly fake, according to the report. The developer listed for Square Photo Blur on Google Play, for example, was called “Thomas Mary.”
The apps in the campaign generally have a a three-stage payload evolution, researchers observed. In the first two stages, the code appears innocent, but the third phase is where they detected nefarious activity.
In the first stage, the app is installed using a Qihoo packer, which in and of itself is not suspicious. It also uses a stub app, or stubs, which typically are used by developers as a placeholder for not-yet-developed code while testing of other parts of the code.
This sets the app up for stage two, in which it’s used as a wrapper around another Blur app, com.appwallet.easyblur, which is visible after Square Photo Blur is unpacked. This app also does not do anything malicious; threat actors probably used it “to trick users into believing they have downloaded a legitimate app with Square Photo Blur,” researchers observed.
Stage three of the app’s installation is where the app begins to get malicious, according to the report. It’s in this phase that the malicious code generates the OOC ads, and it appears in the form of packages com.bbb.*, such as com.bbb.NewIn. Code present in the app can deliver OOC ads every time a user unlocks the screen, starts charging the phone, or switches from cellular data to WiFi and vice versa, researchers said.
Indeed, the Satori team discovered the code snippet responsible for the OOC ads on VirusTotal (VT), adding that VT samples appear to be slight variations of the same base code with incremental changes. This is likely so the app can avoid detection by antivirus companies, researchers said.
Once fully installed, researchers clicked on the Square Photo Blur app’s launcher icon on a test device and found it’s basically a “hollow shell of an app, just enough to just pass the Play Store checks,” they said.
They pointed out that reviews can be helpful in avoiding malicious apps like these: “Looking at the comments in the Reviews section for this app reveals negative sentiment against this developer. The reviews suggest the app is barely functional with many reports of OOC ads.”
The Satori team included a list of the malicious apps in the report and recommended that anyone using them remove them immediately. Researchers plan to continue to monitor the situation, they said.
The apps have been removed from the Google Play store, but users will need to remove any that have already been installed. The Satori team included a list of the malicious apps in their report and recommended that anyone using them remove them immediately. Researchers plan to continue to monitor the situation, they said.
