We’ve got a quick mobile app safety tip or two for you: if the app you’ve just downloaded is playing hide and seek with you, the icon disappearing from your home screen, it might be bogus. If the only way you can open the app is by going into your Settings menu and finding it in a long list of apps, it might be bogus. And if after you download this app, you open your phone and you begin getting bombarded by ads just appearing out of nowhere, it might be bogus.
The White Ops Satori Threat Intelligence and Research Team recently identified a set of mobile apps that manifested suspiciously high volumes of ad traffic during their threat hunting investigations. After looking more closely at those apps and their similarly-developed counterparts, White Ops discovered 29 apps with code facilitating out-of-context (OOC) ads as well as a pretty clever way to evade detection. The apps we investigated in the course of this research did not function as advertised, and had more than 3.5 million downloads among them.
White Ops dubbed this investigation CHARTREUSEBLUR: the majority of apps include the word “blur” in their package name, and many purport to be photo editors allowing a user to blur sections of the image. The “chartreuse”, well, that’s just because it’s fun to say and the liqueur is tasty.
Square Photo Blur App
The Satori team developed our analysis using the Square Photo Blur app (see Table 1 below), but what we found was common to all of the identified apps in Appendix A: all were guilty of fraudulently rendering OOC ads. Compounding this, the apps investigated during our research removed their launch icons shortly after install, making it very difficult for an average user to remove the app. The Square Photo Blur app has been removed from the Google Play Store.
App Name | Square Photo Blur |
Package Name | com.jack.square.photo.blur.image |
MD5 | 5a62bbaa7b08c3ff08eb748ff374749a |
SHA256 | 23e0c8eba8a4a7556384cc7f252fecd2d0b344c3ecf366581baf22da58df16fc |
File Size | 11 MB |
Google Play Store Link | https://play.google.com/store/apps/details?id=com.jack.square.photo.blur.image |
Version Analyzed | 2.0.5 |
Developer | Thomas Mary |
Contact Email | artidypi@gmail.com |
Table 1: Details of the malicious app analyzed
Source: White Ops Threat Intelligence
The developer name for Square Photo Blur —”Thomas Mary”— is almost certainly bogus. All of the apps in this investigation feature developers whose “names” are common English language names smashed together, seemingly at random.
Looking at the comments in the Reviews section for this app reveals negative sentiment against this developer. The reviews suggest the app is barely functional with many reports of OOC ads. The summary shows the C-shaped rating distribution we see often with suspicious apps, with most of the newer reviews giving the app only one star.
(click on any image in this blog post to enlarge)
Figure 1: C-shaped rating distribution for Square Photo Blur app.
Source: White Ops Threat Intelligence
Stage 1: Nothing to See Here
The CHARTREUSEBLUR apps obfuscate the code—almost certainly to evade detection—using a three-stage payload evolution. In both Stages 1 and 2, the code appears innocent, but if there’s going to be ad fraud, the app needs to render the code to do so and the Satori team spotted it during Stage 3.
The Square Photo Blur app—and indeed all of the apps identified in this investigation—is packed using a Qihoo packer as the first stage of the malicious activity payload. As we noted in our BeautyFraud investigation, packers can be used for legitimate purposes, like protecting intellectual property from piracy. Although all of the apps used the Qihoo packer, all of the malicious activities, services, and broadcast receivers were declared in their manifests.
A stub app, conveniently called stub, can be seen in Figure 2. Stub apps are typically used by developers as a placeholder for not-yet-developed code during testing of other parts of the code. They simulate the functionality of the future code. In this case, the stub app is code that is used as a bridgehead for Stage 2.
Figure 2: Stub app for Square Photo Blur containing the Qihoo packer.
Source: White Ops Threat Intelligence
So, to an unsuspecting researcher or AV detection engine, the app appears to have nothing (malicious) to see here.
Stage 2: A Very Merry Unbirthday Gift
After unpacking the app, the second stage of the payload is revealed and the majority of code is now visible. The Satori team discovered that the offending malicious code is still not apparent at this stage.
Figure 3: Second stage of the payload
Source: White Ops Threat Intelligence
The Square Photo Blur app is being used as a wrapper around another BLUR app, com.appwallet.easyblur, which can be seen after unpacking Square Photo Blur (see Figure 3). It’s worth noting com.appwallet.easyblur does not render any out-of-context ads: it appears to be the unfortunate target of the threat actors to trick users into believing they have downloaded a legitimate app with Square Photo Blur.
Stage 3: Phone Home
The malicious code is finally revealed, related to other packages named com.bbb.* which are downloaded as the third stage of the payload.
The classes, such as com.bbb.NewIn, missing in the main unpacked code, are noted in multiple places. Examples include the code that hides the icon—as seen in Figure 4—and the multiple manifest entries seen in Figure 5 that point to an invasive receiver with high priority.
Figure 4: Icon hiding snippet declared in the manifest inside the second stage.
Source: White Ops Threat Intelligence
Figure 5: Malicious components declared in, but missing from, the second stage.
Source: White Ops Threat Intelligence
By leveraging OSINT tools, the Satori team discovered the code snippet responsible for the out-of-context ads on VirusTotal (VT). The com.bbb* code was seen inside an external, stand-alone APK that was uploaded multiple times over the last couple of months to the VT platform.
Figure 6: Example iterations of the third stage payload, com.bbb*, shown on VT.
Source: VirusTotal
The VT samples appear to be slight variations of the same base code with incremental changes, likely with the goal of avoiding detection by antivirus companies. All of the apps shared in Appendix A contain this same malicious SDK embedded inside a test APK.
Figure 7: Early VT submission of the com.bbb* SDK.
Source: VirusTotal
Figure 7 shows an older version of the malicious SDK which triggered multiple detections in VT when it was first seen on April 26, 2020. However, another iteration of the SDK loaded just hours later, demonstrates a more stealthy approach which not only crashed some analytic tools (including JADX), but resulted in a much lower VT detection rate as shown in Figure 8.
Figure 8: Iteration of third stage payload with less detection.
Source: VirusTotal
After reversing this malicious SDK (all versions had the same structure), the piece of code responsible for the out-of-context and disruptive ads is visible in plain sight, as seen in Figure 9.
Figure 9: OOC ad activity being launched when the user unlocks the screen.
Source: White Ops Threat Intelligence
After clicking the Square Photo Blur app’s launcher icon on our test device…
Read the Full Article