Malicious Android apps affect 3.5 million users — what to do

google play store on an Android mobile phone
(Image credit: aizaq abdullah / Shutterstock.com)

Security researchers detected 29 Android applications that harbored malware and amassed at least 3.5 million downloads.

The dodgy apps, discovered by cybersecurity firm White Ops, bombarded users with intrusive adverts, didn’t perform intended functions and were nearly impossible for users to delete as the apps' launch icons would suddenly vanish.

Dodgy photo editors

In a blog post, the White Ops Satori Threat Intelligence researchers said they came across the malicious apps when they were threat-hunting and noticed that the apps in question had “manifested suspiciously high volumes of ad traffic”.

White Ops has named this campaign ChartreuseBlur as most of these apps were photo editors that contained “blur” in their titles. The researchers also questioned the legitimacy of the apps as the names of their developers sounded similar. 

“The developer name for Square Photo Blur —'Thomas Mary'— is almost certainly bogus," noted the researchers. "All of the apps in this investigation feature developers whose 'names' are common English language names smashed together, seemingly at random.” 

What’s more, the majority of the apps had negative reviews on the Google Play Store. White Ops said the poor write-ups “suggest the app is barely functional with many reports of OOC [out-of-context] ads”.

In-depth analysis 

During their investigation, the researchers analyzed an app called Square Photo Blur and noted that it was similar to the other apps. 

To avoid being detected by Google Play's malware screeners, the ChartreuseBlur apps were kitted out with a so-called three-stage payload evolution.

"In both Stages 1 and 2, the code appears innocent, but if there’s going to be ad fraud, the app needs to render the code to do so and the Satori team spotted it during Stage 3,” they explained.

In the first stage, the app employs a Qihoo packer as part of the installation process. As noted by WhiteOpps, this isn’t out of the ordinary because packers are often used for preventing piracy. 

But WhiteOpps pointed out that despite this, “all of the malicious activities, services, and broadcast receivers were declared in their manifests.”

The apps also used stubs, which essentially play the role of a placeholder when developers are testing code. White Ops found that the stubs were “used as a bridgehead for Stage 2”.

Malicious aims

During the second stage, the researchers said the Square Photo Blur app was “being used as a wrapper around another Blur app”. 

But the app wouldn't be malicious at this point because the crooks want users to think the app is real.

In the third stage, things quickly change when “the malicious code is finally revealed.” This is when the out-of-context adverts appear -- and they're visible whenever users unlock their devices, put the devices on charge or switch cellular data and Wi-Fi on or off. 

The malicious apps have all been removed from the Google Play Store, but White Ops has posted a list of the app names and package names

Threat actors often develop mobile apps that look legitimate but are actually filled with malware. To protect yourself, you should only download apps from reputable sources, read reviews and check what permissions an app wants to access.

You'll also want to use and install one of the best Android antivirus apps, some of which are quite inexpensive or even free.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Android Phones
The Find my People feature
Android Find My can now track your friends and family — here's how to use it
Google Pixel 9 Pro in hand
Epic Google sale on Pixel 9 Pro, Pixel Watch and more — 9 deals I’d buy with up to $400 off
samsung galaxy s25 edge mockup at galaxy unpacked
Galaxy S25 Edge is overhyped — I want Samsung to make this phone thinner instead
CAD renderings of the Google Pixel 10 Pro
Latest Google Pixel 10 leak could make you want to skip it altogether
android 16 logo on a samsung galaxy smartphone
One of Apple’s most controversial AI features could be coming to Android phones
Google Pixel 9a render
Google Pixel 9a pre-orders could come with a free Google TV Streamer — what we know
Latest in News
Chromecast with Google TV connected to display
Google finally pushes out full Chromecast fix for users who factory reset — here’s what to do
A picture of a skull and bones on a smartphone depicting malware
Hundreds of malicious Android apps with 60 million downloads found spamming Android users with ads and stealing credentials
Switch 2 console and logo
Nintendo Switch 2 rumor just tipped possible release date — and it's much sooner than we thought
Hacker typing on laptop in darkened room
Hackers create "BRUTED" tool to attack VPNs – how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
(L-R) Mark Eydelshteyn as Vanya and Mikey Madison as Anora "Ani" Mikheeva in "Anora"
Hulu top 10 movies — here's the 3 you need to stream right now