Researchers have exposed a malicious cyber-operation involving fraudulent photo-editing apps, none of which were found to function as advertised.
New research published today by White Ops’ Satori threat intelligence team revealed 29 fraudulent apps to be part of a nefarious cyber-scheme that they have named Chartreuse Blur.
The apps, which have already been downloaded 3.5 million times from the Google Play Store, cause out-of-context (OOC) ads to run rampant on a compromised device and randomly open web browsers while the device is in use.
Researchers noted that any time a compromised device is unlocked, plugged into a charger, or even switches cellular networks, an OOC ad pops up on the home screen, whether the fraudulent app is open or not.
Whoever is behind the operation tried hard to hide the true nature of the apps involved. The team found the apps' malicious code has been buried in a three-stage payload evolution so that none of the code appears problematic until stage three.
Efforts were also made to prevent users from deleting any of the apps they have installed. Almost immediately upon installation, the app icon disappears from the device’s home screen, making it incredibly difficult for users to find and remove.
The name Chartreuse Blur was given to the operation because the majority of the apps involved are masquerading as photo editors and include the world "blur" in their package name.
“If the app you’ve just downloaded is playing hide and seek with you, the icon disappearing from your home screen, it might be bogus,” warned researchers.
“If the only way you can open the app is by going into your Settings menu and finding it in a long list of apps, it might be bogus. If after you download this app, you open your phone and you begin getting bombarded by ads just appearing out of nowhere, it might be bogus.”
One of the apps exposed by researchers, the Square Photo Blur app, has since been removed from the Google Play Store.
“The developer name for Square Photo Blur — 'Thomas Mary' — is almost certainly bogus,” noted researchers.
“All of the apps in this investigation feature developers whose 'names' are common English language names smashed together, seemingly at random.”