Malicious Android apps affect 3.5 million users — what to do

google play store on an Android mobile phone
(Image credit: aizaq abdullah /

Security researchers detected 29 Android applications that harbored malware and amassed at least 3.5 million downloads.

The dodgy apps, discovered by cybersecurity firm White Ops, bombarded users with intrusive adverts, didn’t perform intended functions and were nearly impossible for users to delete as the apps' launch icons would suddenly vanish.

Dodgy photo editors

In a blog post, the White Ops Satori Threat Intelligence researchers said they came across the malicious apps when they were threat-hunting and noticed that the apps in question had “manifested suspiciously high volumes of ad traffic”.

White Ops has named this campaign ChartreuseBlur as most of these apps were photo editors that contained “blur” in their titles. The researchers also questioned the legitimacy of the apps as the names of their developers sounded similar. 

“The developer name for Square Photo Blur —'Thomas Mary'— is almost certainly bogus," noted the researchers. "All of the apps in this investigation feature developers whose 'names' are common English language names smashed together, seemingly at random.” 

What’s more, the majority of the apps had negative reviews on the Google Play Store. White Ops said the poor write-ups “suggest the app is barely functional with many reports of OOC [out-of-context] ads”.

In-depth analysis 

During their investigation, the researchers analyzed an app called Square Photo Blur and noted that it was similar to the other apps. 

To avoid being detected by Google Play's malware screeners, the ChartreuseBlur apps were kitted out with a so-called three-stage payload evolution.

"In both Stages 1 and 2, the code appears innocent, but if there’s going to be ad fraud, the app needs to render the code to do so and the Satori team spotted it during Stage 3,” they explained.

In the first stage, the app employs a Qihoo packer as part of the installation process. As noted by WhiteOpps, this isn’t out of the ordinary because packers are often used for preventing piracy. 

But WhiteOpps pointed out that despite this, “all of the malicious activities, services, and broadcast receivers were declared in their manifests.”

The apps also used stubs, which essentially play the role of a placeholder when developers are testing code. White Ops found that the stubs were “used as a bridgehead for Stage 2”.

Malicious aims

During the second stage, the researchers said the Square Photo Blur app was “being used as a wrapper around another Blur app”. 

But the app wouldn't be malicious at this point because the crooks want users to think the app is real.

In the third stage, things quickly change when “the malicious code is finally revealed.” This is when the out-of-context adverts appear -- and they're visible whenever users unlock their devices, put the devices on charge or switch cellular data and Wi-Fi on or off. 

The malicious apps have all been removed from the Google Play Store, but White Ops has posted a list of the app names and package names

Threat actors often develop mobile apps that look legitimate but are actually filled with malware. To protect yourself, you should only download apps from reputable sources, read reviews and check what permissions an app wants to access.

You'll also want to use and install one of the best Android antivirus apps, some of which are quite inexpensive or even free.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!