The threat intelligence and research team from cybersecurity firm White Ops found a new campaign of malicious photo editing apps on the Google Play Store targeting Android devices with random out-of-context ads. The researchers discovered 29 malicious Android apps in the Play Store with more than 3.5 million downloads.
ChartreuseBlur Analysis
The researchers named their investigation as “ChartreuseBlur,” since a majority of the apps used the word “blur” in their package name. The malicious apps have known to obfuscate the code and escape security detection by making its icon disappear from the device’s home screen shortly after download.
The apps have a three-stage payload evolution. In the first two stages, the app appears normal, but it reveals its malicious activities in the third phase. Once the app is downloaded, it begins attacking the device with unwanted ads.
The researchers stated that they conducted an analysis on one of the apps called Square Photo Blur and found that its features were like that of all apps. The team published a list of malicious applications and recommended users to remove them immediately, if anyone is using them.
How to Identify Malicious Apps
Researchers stated that users should reverse engineer every mobile app before installing it. Here are some questions a user can ask to help identify malicious apps:
- Do the reviews talk about ads popping up all the time?
- Do the reviews talk about the app disappearing or being unable to uninstall itself?
- Do the reviews have a lot of complaints that the app does not work as advertised?
- Are there a lot of 5-star reviews, but the recent reviews are mostly 1-star?
- Does the app publisher have a lot of downloads in a very short amount of time?
If the answer is yes to any of the above, then it might be a bogus or malicious app.
Cyberthreats associated with Malicious Apps
Researchers from cybersecurity firm Trend Micro revealed that they have discovered three malicious apps on Google Play, which are designed to compromise victim’s devices and steal information. The three malicious apps, Camero, FileCryptManager, and CallCam, were masked as photography and file manager tools. It’s also observed that the Camero app exploits use-after-free vulnerability CVE-2019-2215 that exists in Binder, an inter-process communication system in Android. By exploiting the CVE-2019-2215 vulnerability, attackers can inject malicious codes and steal information without user knowledge.
