Smartphone apps can be dangerous as they may “sell” your location data, “steal” logins and passwords for accessing Facebook, or display unrelated ads.
In late July 2020, 29 dangerous mobile apps for Android were discovered on Google Play, with a total of more than over 3.5 million times. The primary goal of these apps was to show non-contextual ads with various undertones.
All these apps are related to photo editing. Interestingly, after installation, the app icons disappear from the home screen once the smartphone is restarted, making them harder to locate in the app list.
According to a report by the White Ops Satori Threat Intelligence team, these apps were generating suspiciously large amounts of ad traffic. The research team called this group of apps “Chartreuse Blur,” as many of them included the word “Blur” in their names. Additionally, these photo editors allow users to blur areas in images.
The “Hide and Seek” Game with Installed Apps
When an app icon disappears from the home screen on an Android device, it can be difficult to find it in the list of all apps. This leads to challenges, such as not being able to delete the app because the user assumes it’s no longer on the smartphone.
Thanks to the investigation by the Satori team, one of these apps, Square Photo Blur, was removed from the Google Play Store.
The research also revealed that this app exhibited characteristics of malware: once installed, it began “attacking” the phone with ads out of nowhere. This phenomenon can be described as “displaying ads out of context.”
Another notable feature of this group of apps is the clearly fictitious English names of their developers. For example, the developer of Square Photo Blur on Google Play is listed as “Thomas Mary.”
Three Stages of App Downloading
According to researchers, such apps typically go through a three-stage evolution in their downloading process. In the first two stages, the app (and its code) appears normal and poses no threat, but by the third stage, malicious behavior is activated.
The first stage is the installation of the application with the Qihoo packer, which doesn't do much to raise suspicion. It also uses a placeholder app or placeholders, which are often used by developers to replace incomplete code — ostensibly “for testing”.
On the second stage, the application then changes to act as a shell for another program, Blur, which appears after unpacking Square Photo Blur. This secondary program doesn't perform any malicious actions. The attackers designed this process to trick users into thinking they have downloaded the legitimate Square Photo Blur app.
And only on the third stage, the app becomes malicious and the malicious code begins to generate advertisements. According to the researchers, the code in the app can trigger ads every time the user unlocks the screen, starts charging the phone, or switches between cellular data and Wi-Fi.
The Satori team indeed found a code fragment responsible for ads on VirusTotal (VT) and noted that these variations are likely small tweaks of the same base code. These modifications likely help evade detection by antivirus programs on the user’s smartphone.
Upon initial installation, tapping the Square Photo Blur icon on a test device revealed that it was merely a shell app, sufficient to pass Google Play Store’s checks. The Satori team included a list of malicious apps in their report and advised anyone using them to delete them immediately. While the apps have been removed from the Google Play Store, users are still using them.
List of Malicious Apps from the Chartreuse Blur Group
| Application | PKG Name | Version | Number of installations | Author/Developer |
|---|---|---|---|---|
| Auto Picture Cut | com.auto.picture.cut.background.eraser.tool | 4.0.0 | 100 000+ | mecharcfa(at)gmail.com |
| Color Call Flash | com.color.call.flash.tools | 2.0.0 | 50 000+ | Seay Elizabeth |
| Square Photo Blur | com.jack.square.photo.blur.image | 2.0.5 | 500 000+ | Thomas Mary |
| Square Blur Photo | com.jobfun.square.photo.blur.image | 7.0.0 | 500 000+ | Ward Nadine |
| Magic Call Flash | com.magic.call.flash.tools | 2.0.0 | 50 000+ | Robinson Yolanda |
| Easy Blur | com.mary.super.photo.blur.tool | 6.0.0 | 100 000+ | Chu Erin |
| Image Blur | com.mclain.photo.blur.editor.background | 2.0.5 | 100 000+ | Myers Jason |
| Auto Photo Blur | com.paige.photo.blur.background | 6.0.0 | 100 000+ | Taylor Zelma |
| Photo Blur | com.scorp.photo.blur.background | 2.0.3 | 500 000+ | Swindell Eddie |
| Photo Blur Master | com.scott.scorp.photo.blur.background | 8.0.0 | 100 000+ | Myers Jesse |
| Super Call Screen | com.super.call.screen.tools | 2.0.0 | 100 000+ | O’Connor Amy |
| Square Blur Master | com.robert.square.photo.blur.image | 6.0.0 | 100 000+ | Gledhill Janice |
| Square Blur | com.craig.square.photo.blur.image | 5.0.0 | 50 000+ | Johnson Melanie |
| Smart Blur Photo | com.james.smart.blur.photo.editor.tool | 2.0.0 | 500 000+ | Robinson Yolanda |
| Smart Photo Blur | com.james.smart.photo.blur.editor.tool | 4.0.0 | 500 000+ | Tammy Roush |
| Super Call Flash | com.super.call.screen.tools | 2.0.0 | 100 000+ | Kirk Brian |
| Smart Call Flash | com.smart.call.flash.tools | 2.0.0 | 50 000+ | Davis Betty |
| Blur Photo Editor | com.sixgod.photo.editor.blur.image.tool | 2.0.8 | 5 000+ | Addison Goldie |
| Blur Image | com.fancy.photo.editor.blur.image.tool | 2.0.6 | 10 000+ | Alvord Columbus |
Apps Selling User Data to Advertisers
In early 2020, the VPNpro portal warned Android smartphone owners about 24 potentially dangerous apps that could track user geolocation to sell this data to advertisers. With approximately 382 million downloads, it’s strongly recommended to check your smartphone for any of the apps listed below and assess their safety.
Interestingly, all 24 apps that may track geolocation are linked to a large Chinese company, Shenzhen HAWK, which is part of the TLC Corporation (connected with the state). These apps ask owners for excessive permissions that are unnecessary for their regular operation.
For example, games, recorders, and cleaning apps request permissions to make calls, take photos, record videos, and capture audio—raising significant suspicion. Therefore, we advise paying attention to the permissions requested by apps before installing them.
Shenzhen HAWK has previously faced allegations of distributing malicious software. Here is a list of apps that VPNpro considers potentially dangerous, as they likely collect large amounts of user data and sell it to third parties without users’ knowledge or consent:
| Sound Recorder | Super Cleaner | Virus Cleaner 2019 | File Manager |
| Joy Launcher | Turbo Browser | Weather Forecast | Candy Selfie Camera |
| Free VPN | Hi VPN | Candy Gallery | Calendar Lite |
| Super Battery | Hi Security 2019 | Net Master | Puzzle Box |
| Private Browser | Hi VPN Pro | World Zoo | Word Crossy |
| Soccer Pinball | Dig It | Laser Break | Music Roam |
| Word Crush |
Purpose of Creating Malicious Apps
Why do app developers take such risks—creating and publishing dangerous apps that might soon be exposed for violations and removed from Google Play? The answer is simple: it’s business, and quite a profitable one.
On average, in the advertising market, advertisers are willing to pay $4 per 1,000 users per month for access to their geolocation data. This data is highly valuable as it allows precise location tracking, often down to a few meters, and can even reveal a specific floor in a large building or shopping mall. Naturally, companies are willing to pay for such data.
If a company has not just 1,000 but 1 million users, this translates to $4,000 per month. With 100 million users, it jumps to $400,000 monthly. It’s easy to calculate that having an app on Google Play for three months with 100 million installations could bring developers $1.2 million. With that budget, developers can continually create new apps, each time replacing those that were removed with fresh ones.
Furthermore, the data can be resold not just to one advertiser but to two, three, or even dozens and hundreds, increasing profits even more. At the time of writing, all of these apps have already been removed from Google Play, but they may still be installed on users’ smartphones.
In early July 2020, cybersecurity firm Evina discovered 25 apps on Google Play that were stealing login credentials for Facebook accounts. These apps didn’t attempt to sell geolocation data or display ads; instead, they were simply stealing Facebook account usernames and passwords.
Apps That Steal Facebook Login Data
Dangerous apps can come from a wide variety of categories: card games, file managers, step counters, flashlights, and more. All these apps have been installed over 2 million times and share a common malicious code.
When users launched the Facebook app, these programs would display a fake login page where users entered their credentials. These login details were then sent to cybercriminals for misuse or resale of sensitive data on the Dark Net. To protect your Facebook account, we strongly recommend enabling two-factor or multi-factor authentication.
While all of these dangerous Android apps have now been removed from Google Play, many of them still function on users' smartphones, as reported by Phone Arena. Here is a list of apps that may steal personal and confidential data related to Facebook:
| Super Wallpapers Flashlight | Video Maker | Super Flashlight | Synthetic Z |
| Padenatef | Color Wallpapers | Solitaire Game | File Manager |
| Wallpaper Level | Pedometer | Accurate Scanning Of QR Code | Composite Z |
| Contour Level Wallpaper | Powerfull Plashlight | Classic Card Game | Screenshot Capture |
| iPlayer & iWallpaper | Super Bright Flashlight | Junk File Cleaning | Daily Horoscope Wallpapers |
| Wuxia Reader | Plus Weather | Anime Live Wallpaper | iHealth Step Counter |
5 User Mistakes That Can Lead to Dangerous Consequences
- not deleting unused apps from the smartphone;
- keeping Bluetooth and NFC constantly enabled;
- forgetting to update the Android operating system in a timely manner;
- not reviewing permissions granted to apps during installation;
- installing apps downloaded from third-party developers outside of the Google Play platform.
So, stay vigilant, and don't forget about personal cybersecurity and the protection of personal and confidential data.
Fill out the form below, and we’ll get in touch with you right away to discuss a plan to protect your business!
