Recently, Google Play Store was found with 29 malicious photo editing apps with a combined 3.5 million downloads running out-of-context ad campaigns. This is not the first attack of its kind. The ability to track users’ data is often been misused by developers and cyber crooks to generate more revenue. Moreover, Google is an open-source platform rendering it an easy target for many notorious cyber campaigns.
Many notorious developers exploit this advantage to practice their nefarious activities. And recently Google Play Store was found to have 29 malicious photo “blur” apps launching OOC ads on the victim mobile. The mobile apps employed techniques to prevent detection from antivirus and also to pass the Play Store Security checks.
ChartreuseBlur Campaign
According to the report of White Ops Satori Threat Intelligence and Research Team most of the 29 malicious mobile apps were labelled with the ‘blur’ in their package name. This made them give the campaign name ChartreuseBlur. Researchers said that the malicious android apps “manifested suspiciously high volumes of ad traffic”.
The team found that the code snippet responsible for OCC ads was found on VirusTotal (VT). The snippets appear to be slight variations of the same base code with incremental changes. Developers did this to avoid detection by antivirus.
Photo Blur Apps
The applications were designed to provide a utility much in demand. To provide a depth-effect that usually comes with SLR and DSLR cameras. Usually called the blur effect, it is liked by many users who want to make their photographs appealing.
The victims of the campaign downloaded the apps as a photo editor tool, oblivious to the hidden intent of the applications.
Usual Drill
Researchers conducted an analysis on one of the apps, in particular, called Square Photo Blur, finding that its behaviour was consistent with all of the malicious apps.
Once downloaded the mobiles experience an influx of ads appearing out of nowhere, a phenomenon is known as out-of-context(OCC) ads. Researchers also found that the apps can deliver OCC ads every time a user wakes up the screen, plugs to charging or switching from cellular to WiFi and vice versa.
The distinct hallmark of the applications is that once downloaded, the applications play “hide & seek” with the device, forcing users to uninstall the apps from the settings, searching for the app from the long list. This makes it difficult for average users to locate the app and uninstall it.
The report stated that to stay undetected the developers used fake contact details for the apps in the campaign. Square Photo Blur was registered with the name “Thomas Mary” on Google Play Store which is completely fake.
As the researchers studied how the apps work (using Square Blur app), they found that the apps in the campaign have a three-stage payload evolution. The initial stages were harmful but an aid to the third stage where researchers noticed the nefarious activities.
Stage-I
As part of its malicious employment, the app is installed using a Qihoo packer. Researchers could not find anything suspicious about this methodology. The app also uses a truncated application called a stub app which often is used by developers to test other parts of the code of an application.
Stage-II
Here the app is used as a ‘wrapper’ around another Blur app, com.appwallet.easyblur, visible after Square Photo Blur is unpacked.
This was a failsafe stage “to trick users into believing they have downloaded a legitimate app with Square Photo Blur,” researchers observed.
Stage-III
Stage-3 of the app’s installation is where the app begins to get really malicious, says the report. It is in this stage that the malicious code generates the OOC ads, & it is in the form of packages com.bbb.*, e.g. com.bbb.NewIn.
Free access to a plethora of android apps creates the need to advertise the platforms. To accrue a handsome amount of revenue, applications use cookies to fetch apt data about a user. Android apps use this tracking data for advertising to generate revenue. Though it seems to be an invasion, it is this tracking data which kept the free access to the applications largely free. The thing is android users have little choice, but to accept the conditions, and keep being tracked—the little trade-off for using free apps.
Researchers said that if you have fallen prey to the campaign and have witnessed an influx of OCC ads on your device, immediately uninstall the application by opening settings and searching for the app in the apps’ list.
