Chartreuse Blur

While there have been several fraudulent applications managing to sneak their way onto the Google Play store and, therefore, to the devices of countless unsuspecting users, it is not common for a group of hackers to manage to infiltrate the store with nearly 30 such applications. The security researchers of the White Ops' Satori threat intelligence team managed to uncover exactly that - a pack of 29 threatening applications that had managed to rack up 3.5 million downloads. The whole operation has been dubbed Chartreuse Blur by the researchers.

The applications claim to offer some sort of photo editing tools. For example, one called Square Photo Blur supposedly helps users blur certain parts of photos or images. Suppose the user decides to give the application a chance. In that case, it soon becomes evident that no photo editing can be done with it, and the launch icon of the installed application has vanished from the phone screen mysteriously. The now infected device will be bombarded with a stream of out-of-context (OOC) advertisements. Looking at the underlying code of one of these applications, revealed that certain specific events triggered the generation of unwanted advertisements. When users unlock their phones, unless it was for a phone call, they would see interstitial advertisements. When the fraudulent application is open, they would see advertisements, when any other application is uninstalled. Yes, you guessed it - more advertisements. These are not the only ativators for the pop-up advertisements to be displayed; in fact, there are a lot more such as when the users start charging their phones, unlock their screens, or when the cellular data switches to WI-FI and vice versa. The activity of these applications is not limited to only ad generation. They are also capable of opening an OOC web browser at seemingly random intervals while the infected device is in use.

The Numerous Chartreuse Blur Applications Hide Their Payloads Under Layers of Obfuscation

The hackers that created this group of threatening applications have implemented a three-step payload evolution to obfuscate their code and avoid detection. The Quihoo packer is used at the first stage, as well as harmless stub code (placeholder code that simulates the functionality of the future fully developed code). During the second stage, more of the underlying code is revealed, but again no unsafe activity is executed. Only during the third step does the application reveal its true face as other packages named com.bbb.* are downloaded to the device. The code responsible for the removal of the launcher icon also can be observed at this stage. The researchers noticed that the domain "ruanfan[.]co" was hardcoded into the analyzed applications.

The Square Photo Blur application has been removed from the Play Store subsequently, but users should still exercise caution when downloading applications on their devices. If any signs of suspicious behavior become present, they should go to the Settings menu and uninstall the applications manually.