Beware Android Users! These 29 Photo Editing Apps On Google Play Store Are Spreading Ad-Based Malware

Bad actors continue to dominate Google Play store as in a series of new malicious photo apps the Android devices are getting flooded with random ads instead of targeted ones. And while that alone is alarming, the icon of the apps also disappear soon after a user downloads them on the device.

First spotted by White Ops Research Team in a threat-spotting investigation, such apps - 29 in total - hold high volumes of ad traffic and also have 3.5 million downloads to date altogether.

The campaign is called as “ChartreuseBlur” mostly because of how majority of the apps have the “blur” factor to their name or functionality.

People who become a victim of the bad apps also see alerts in the form of certain characteristics. One of them includes the “hide and seek” play in which the icon of the installed app vanishes from the home screen and the user is then bound to go into Settings to check whether the app was really installed or open it from there only. The whole process also makes it very difficult for an average user to remove the app.

Furthermore, to catch a more common characteristic in these apps, the research team conducted analysis on one app called Square Photo Blur - considering how its behavior was similar to a lot of other malicious apps. Once downloaded, the app was bombarding the phone with out-of-context ads and its developer had a more English-sounding name like “Thomas Mary”. Google deleted the Square Photo Blur app later from the Play Store.

More reports from the researchers showed that the apps had a three-stage payload evolution. The code appears as normal in the first two stages but in the third phase, the team found suspicious activities going on.

Right from the first stage, in case of Square Photo Blur, the apps get installed with the help of a Qihoo packer (which is an alarming sign itself). The apps also use stubs which are normally used by developers for when they have not-developed the code or want to test out other parts of the code.

When the installation process reaches stage two, a Blur app with the code com.appwallet.easyblur became quite visible in Square Photo Blur after unpacking. However, the researchers told that this app does not do anything malicious, in fact, it only exists to make the user believe into the fact that they are downloading a real app.


Stage three is the most dangerous part of the app as this is exactly where the malicious code hidden inside the app starts to generate OOC ads and the presence of it can be seen in the form of packages com.bbb.*, such as com.bbb.NewIn. This code in the app make the OOC ads appear in front as soon as the user unlocks the phone, puts it on charging or decide to switch from cellular to WiFi data.

After fully installing the device, researchers clicked on the app launcher icon of Square Photo Blur and found that it is a hollow shell of an app that happens to have passed the Play Store checks.

While discovering the code snippet, the Satori team has also suggested that users should read the reviews before installing any such app. This is because in the reviews section people spill out the truth which can protect you from any malicious attack that can happen through the app you are about to install.

The team has already reported the list of malicious apps to Google and they are being removed from the Play Store on an immediate basis. If you happen to have installed them on your phone, get rid of them right away.

Researchers have also promised to continue monitoring the situation.

The list of apps can be found in the below chart:



Read next: Researchers Discovered a New Android Malware That Steals Credentials from Banking Apps As Well As Shopping, Communication And Business Category Apps
Previous Post Next Post