29 bad mobile apps with a combined 3.5m downloads hit users with out-of-context ads.
A new campaign of malicious photo apps on Google Play floods Android devices with random ads instead of functioning normally. They also evade detection by making its icon disappear from the device home-screen soon after download.
Researchers at the White Ops Satori Threat Intelligence & Research Team found the Android apps, 29 in total, which they said “manifested suspiciously high volumes of ad traffic” during threat-hunting investigations, observes a recent report.
The team, which was comprised of researchers Gabi Cirlig, Michael Gethers, Marion Habiby, Christopher Soo & Dina Haines called the campaign “Chartreuse Blur,” in part because the majority of apps have the word “blur” in their package name.
Many also claim to be photo editors that allow users to blur sections of an image, they went on to say.
There are a number of key-characteristics that can alert users if they have become a victim to downloading one of these bad apps (the apps combined have over 3.5m downloads, researchers commented).
Hide & Seek
One of the features of the app is that once it’s downloaded, it plays “hide & seek” with the device, with the icon disappearing from the home screen, making users to go into the Settings menu to find the app if they want to see if it’s been installed or open it.
This makes it “very difficult for an average user to remove the app,” they observed. Square Photo Blur has since been moved from the Google Play store; researchers added.
Square Photo Blur
Researchers conducted analysis on one of the apps in particular, called Square Photo Blur, finding that its behaviour was consistent with all of the malicious apps.
They discovered that once the app is downloaded, it begins bombarding the device with ads, “just appearing out of nowhere,” a phenomenon known as ‘delivering out-of-context (OOC) ads’, researchers explained.
A further indication of the apps in this campaign is that all of the developers listed for the apps have random, English-sounding names that are clearly fake, comments the report. The developer listed for Square Photo Blur on Google Play, e.g., was called “Thomas Mary.”
The apps in the campaign generally have a 3-stage payload evolution, researchers observed. In the first 2 stages, the code seems innocent, but the 3rd phase is where they picked-up bad activity.
In Stage 1, the app is installed using a Qihoo packer, which itself is unsuspicious. It also uses a stub app, or stubs, which often are used by developers as a placeholder for not-yet-developed code, while they test other parts of the code.
This sets the app up for Stage 2, in which it is used as a ‘wrapper’ around another Blur app, com.appwallet.easyblur, visible after Square Photo Blur is unpacked.
The app also does not do anything wrong, threat players probably used it “to trick users into believing they have downloaded a legitimate app with Square Photo Blur,” researchers observed.
Stage 3 of the app’s installation is where the app begins to get really malicious, says the report. It is in this stage that the malicious code generates the OOC ads, & it is in the form of packages com.bbb.*, e.g. com.bbb.NewIn.
Code present in the app can deliver OOC ads every-time a user unlocks the screen, starts charging the phone, or switches from cellular data to WiFi & vice versa, researchers stated.
The Satori team found the code responsible for the OOC ads on Virus Total (VT), adding that VT samples appear to be ‘small variations’ of the same base-code with incremental changes. This is likely so the app can evade detection by antivirus companies, researchers surmised.
When fully installed, researchers then clicked on the Square Photo Blur app’s launcher icon on a test device & found it is basically a “hollow shell of an app, just enough to just pass the Play Store checks,” they further commented.
They also suggested that reviews can be helpful in avoiding malicious apps like these: “Looking at the comments in the Reviews section for this app reveals negative sentiment against this developer. The reviews suggest the app is barely functional with many reports of OOC ads.”
Malicious apps list
The Satori team showed a list of the malicious apps in the report, & recommended that anyone using them remove them immediately. Researchers plan to continue to monitor the situation, they explained.
These apps have been removed from the Google Play store, but users will need to remove any already installed.
Satori’s team included a list of the malicious apps in their report, & recommended that anyone using them remove them immediately. Researchers plan to continue to monitor the situation, they concluded.