Security researchers detected 29 Android applications that harbored malware and amassed at least 3.5 million downloads.
The dodgy apps, discovered by cybersecurity firm White Ops, bombarded users with intrusive adverts, didn’t perform intended functions and were nearly impossible for users to delete as the apps' launch icons would suddenly vanish.
- Stay safer online with the best antivirus software you can get
- Best VPN: pick the ideal provider for watertight privacy
- Just in: Disney, Microsoft, Nintendo and 50 more hit by source code leak
Dodgy photo editors
In a blog post (opens in new tab), the White Ops Satori Threat Intelligence researchers said they came across the malicious apps when they were threat-hunting and noticed that the apps in question had “manifested suspiciously high volumes of ad traffic”.
White Ops has named this campaign ChartreuseBlur as most of these apps were photo editors that contained “blur” in their titles. The researchers also questioned the legitimacy of the apps as the names of their developers sounded similar.
“The developer name for Square Photo Blur —'Thomas Mary'— is almost certainly bogus," noted the researchers. "All of the apps in this investigation feature developers whose 'names' are common English language names smashed together, seemingly at random.”
What’s more, the majority of the apps had negative reviews on the Google Play Store. White Ops said the poor write-ups “suggest the app is barely functional with many reports of OOC [out-of-context] ads”.
During their investigation, the researchers analyzed an app called Square Photo Blur and noted that it was similar to the other apps.
To avoid being detected by Google Play's malware screeners, the ChartreuseBlur apps were kitted out with a so-called three-stage payload evolution.
"In both Stages 1 and 2, the code appears innocent, but if there’s going to be ad fraud, the app needs to render the code to do so and the Satori team spotted it during Stage 3,” they explained.
In the first stage, the app employs a Qihoo packer as part of the installation process. As noted by WhiteOpps, this isn’t out of the ordinary because packers are often used for preventing piracy.
But WhiteOpps pointed out that despite this, “all of the malicious activities, services, and broadcast receivers were declared in their manifests.”
The apps also used stubs, which essentially play the role of a placeholder when developers are testing code. White Ops found that the stubs were “used as a bridgehead for Stage 2”.
During the second stage, the researchers said the Square Photo Blur app was “being used as a wrapper around another Blur app”.
But the app wouldn't be malicious at this point because the crooks want users to think the app is real.
In the third stage, things quickly change when “the malicious code is finally revealed.” This is when the out-of-context adverts appear -- and they're visible whenever users unlock their devices, put the devices on charge or switch cellular data and Wi-Fi on or off.
The malicious apps have all been removed from the Google Play Store, but White Ops has posted a list of the app names and package names (opens in new tab).
Threat actors often develop mobile apps that look legitimate but are actually filled with malware. To protect yourself, you should only download apps from reputable sources, read reviews and check what permissions an app wants to access.
You'll also want to use and install one of the best Android antivirus apps, some of which are quite inexpensive or even free.