Researchers: Gabi Cirlig, Michael Gethers, Marion Habiby, Christopher Soo, Dina Haines

We’ve got a quick mobile app safety tip or two for you: if the app you’ve just downloaded is playing hide and seek with you, the icon disappearing from your home screen, it might be bogus. If the only way you can open the app is by going into your Settings menu and finding it in a long list of apps, it might be bogus. And if after you download this app, you open your phone and you begin getting bombarded by ads just appearing out of nowhere, it might be bogus.

The White Ops Satori Threat Intelligence and Research Team recently identified a set of mobile apps that manifested suspiciously high volumes of ad traffic during their threat hunting investigations. After looking more closely at those apps and their similarly-developed counterparts, White Ops discovered 29 apps with code facilitating out-of-context (OOC) ads as well as a pretty clever way to evade detection. The apps we investigated in the course of this research did not function as advertised, and had more than 3.5 million downloads among them.

White Ops dubbed this investigation CHARTREUSEBLUR: the majority of apps include the word “blur” in their package name, and many purport to be photo editors allowing a user to blur sections of the image. The “chartreuse”, well, that’s just because it’s fun to say and the liqueur is tasty.

 

Square Photo Blur App

The Satori team developed our analysis using the Square Photo Blur app (see Table 1 below), but what we found was common to all of the identified apps in Appendix A: all were guilty of fraudulently rendering OOC ads. Compounding this, the apps investigated during our research removed their launch icons shortly after install, making it very difficult for an average user to remove the app. The Square Photo Blur app has been removed from the Google Play Store.

App Name

Square Photo Blur

Package Name

com.jack.square.photo.blur.image

MD5

5a62bbaa7b08c3ff08eb748ff374749a

SHA256

23e0c8eba8a4a7556384cc7f252fecd2d0b344c3ecf366581baf22da58df16fc

File Size

11 MB

Google Play Store Link

https://play.google.com/store/apps/details?id=com.jack.square.photo.blur.image

Version Analyzed

2.0.5

Developer

Thomas Mary

Contact Email

artidypi@gmail.com

Table  1: Details of the malicious app analyzed
Source: White Ops Threat Intelligence

The developer name for Square Photo Blur —”Thomas Mary”— is almost certainly bogus. All of the apps in this investigation feature developers whose “names” are common English language names smashed together, seemingly at random.

Looking at the comments in the Reviews section for this app reveals negative sentiment against this developer. The reviews suggest the app is barely functional with many reports of OOC ads. The summary shows the C-shaped rating distribution we see often with suspicious apps, with most of the newer reviews giving the app only one star.

(click on any image in this blog post to enlarge)
Figure 1:
C-shaped rating distribution for Square Photo Blur app.
Source: White Ops Threat Intelligence

 

Stage 1: Nothing to See Here

The CHARTREUSEBLUR apps obfuscate the code—almost certainly to evade detection—using a three-stage payload evolution. In both Stages 1 and 2, the code appears innocent, but if there’s going to be ad fraud, the app needs to render the code to do so and the Satori team spotted it during Stage 3.

The Square Photo Blur app—and indeed all of the apps identified in this investigation—is packed using a Qihoo packer as the first stage of the malicious activity payload. As we noted in our BeautyFraud investigation, packers can be used for legitimate purposes, like protecting intellectual property from piracy. Although all of the apps used the Qihoo packer, all of the malicious activities, services, and broadcast receivers were declared in their manifests.

A stub app, conveniently called stub, can be seen in Figure 2. Stub apps are typically used by developers as a placeholder for not-yet-developed code during testing of other parts of the code. They simulate the functionality of the future code. In this case, the stub app is code that is used as a bridgehead for Stage 2.

Figure 2: Stub app for Square Photo Blur containing the Qihoo packer.
Source: White Ops Threat Intelligence

So, to an unsuspecting researcher or AV detection engine, the app appears to have nothing (malicious) to see here.

 

Stage 2: A Very Merry Unbirthday Gift

After unpacking the app, the second stage of the payload is revealed and the majority of code is now visible. The Satori team discovered that the offending malicious code is still not apparent at this stage.

Figure 3: Second stage of the payload
Source: White Ops Threat Intelligence

The Square Photo Blur app is being used as a wrapper around another BLUR app,  com.appwallet.easyblur, which can be seen after unpacking Square Photo Blur (see Figure 3). It’s worth noting com.appwallet.easyblur does not render any out-of-context ads: it appears to be the unfortunate target of the threat actors to trick users into believing they have downloaded a legitimate app with Square Photo Blur.

 

Stage 3: Phone Home

The malicious code is finally revealed, related to other packages named com.bbb.* which are downloaded as the third stage of the payload.

The classes, such as com.bbb.NewIn, missing in the main unpacked code, are noted in multiple places. Examples include the code that hides the icon—as seen in Figure 4—and the multiple manifest entries seen in Figure 5 that point to an invasive receiver with high priority.

Figure 4: Icon hiding snippet declared in the manifest inside the second stage.
Source: White Ops Threat Intelligence

Figure 5: Malicious components declared in, but missing from, the second stage.
Source: White Ops Threat Intelligence

By leveraging OSINT tools, the Satori team discovered the code snippet responsible for the out-of-context ads on VirusTotal (VT). The com.bbb* code was seen inside an external, stand-alone APK that was uploaded multiple times over the last couple of months to the VT platform.

Figure 6: Example iterations of the third stage payload, com.bbb*, shown on VT.
Source: VirusTotal

The VT samples appear to be slight variations of the same base code with incremental changes, likely with the goal of avoiding detection by antivirus companies. All of the apps shared in Appendix A contain this same malicious SDK embedded inside a test APK.

Figure 7: Early VT submission of the com.bbb* SDK.
Source: VirusTotal

Figure 7 shows an older version of the malicious SDK which triggered multiple detections in VT when it was first seen on April 26, 2020. However, another iteration of the SDK loaded just hours later, demonstrates a more stealthy approach which not only crashed some analytic tools (including JADX), but resulted in a much lower VT detection rate as shown in Figure 8.

Figure 8: Iteration of third stage payload with less detection.
Source: VirusTotal

After reversing this malicious SDK (all versions had the same structure), the piece of code responsible for the out-of-context and disruptive ads is visible in plain sight, as seen in Figure 9.

Figure 9: OOC ad activity being launched when the user unlocks the screen.
Source: White Ops Threat Intelligence

After clicking the Square Photo Blur app’s launcher icon on our test device (geolocated in the UK), the Satori team discovered a hollow shell of an app, just enough to just pass the Play Store checks, which didn’t function as advertised and, instead, posted out-of-context interstitials full of ads.

A few minutes after the user unlocks their phone, an ad pops up (unless the phone was unlocked to answer a call). An interstitial also pops up after the app is closed, rendering twice at intervals of a few seconds apart, as well as when an user uninstalls any other app. There is code present for launching ads at other times: whenever a user unlocks the screen, starts charging the phone or switches from cellular data-to-Wi-Fi and vice versa. The code appears to be behind some kind of geofencing, as the Satori team could not consistently reproduce this behavior.

Figure 10: Code for interstitial ad rendering.
Source: White Ops Threat Intelligence

Instead of any usable app functionality, though, the user is simply bombarded with out-of-context interstitial ads as can be seen in Figures 11 and 12.

Figure 11: Square Photo Blur app’s out-of-context interstitial ads
Source: White Ops Threat Intelligence

ezgif-2-60291ed3d6d5

Figure 12: Demo video of the OOC behavior.
Source: White Ops Threat Intelligence

Also, a few minutes after installing the Square Photo Blur app on our test device, the app removed its own launcher icon. Typically, there would be an Open button next to the Uninstall button if the user viewed an already installed app via the Google Play Store. But in cases of apps without a launcher icon, the Open button is not present, as seen in Figure 13.

 

Figure 13: Square Photo Blur app missing the Open button next to the Uninstall button.
Source: White Ops Threat Intelligence

The method show is called inside a job scheduled for recurrent activity, using the Android job scheduler. Job scheduling is abused as an additional persistence method in the CHARTREUSEBLUR apps.

Figure 14: Method show called using Android job scheduler.
Source: White Ops Threat Intelligence

Figure 15: Job Service used to pop up ads.
Source: White Ops Threat Intelligence

Figure 16: Job scheduling abused as an additional persistence method.
Source: White Ops Threat Intelligence

This malicious app is not limited to native ad fraud though. The Square Photo Blur app also launches an OOC web browser at random intervals while the user is using the phone.

Figure 17: Out-of-context browsing session
Source: White Ops Threat Intelligence

Figure 18: Traffic capture of the browsing session embedding an ad
Source: White Ops Threat Intelligence

The Satori team also discovered a domain—ruanfan[.]co—that opens inside the pop-up Chrome instance at periodic intervals. It’s worth noting that the domain is hardcoded in the malware, suggesting a direct and stable relationship between the malware and the domain. The threat actor behind the app is most likely also the owner of the domain.

Figure 19: ruanfan[.]co in a pop-up Chrome instance.
Source: White Ops Threat Intelligence

The domain, ruanfan[.]com,  referenced in the code was registered in January 2019.

Domain/IP

ruanfan[.]co

Registrar

Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn)

Registrant Org

fan qian

Registrant Contact Info

si chuan

Creation Date

17 January 2019

Expiration Date

17 January 2021

IP Address

47.246.23[.]139

47.246.17[.]166

Country

China

ISP

Zhejiang Taobao Network Co.,Ltd

ASN

AS 24429

Table 2: Domain details for ruanfan[.]co, used as the OOC ad landing page.
Source: White Ops Threat Intelligence

The CNAME for the domain ruanfan[.]co, is ruanfan.co.w.kunlunsl[.]com. And since the app is pointing toward a subdomain, the Satori team looked at what other subdomain names were mapped to this parent domain. We found an additional 99 related domains, presented in Appendix B.

 

Traffic Volumes

The White Ops Detection team analyzed 13 of the BLUR apps to determine their traffic volume in White Ops Advertising Integrity from May 21  through June 9, 2020.

Figure 20: Traffic volume May 21 - June 9, 2020.
Source: White Ops Data Science

The chart above shows the daily volume for each of 13 of the apps that are included in this attack. There is a clear general uptick in traffic in our logs from these apps around May 26, 2020, which generally continued through the time of this analysis. Certain apps, however, do not show this same uptick in traffic (e.g. com.scott.scorp.photo.blur.background, com.scorp.photo.blur.background).

 

Monitoring and Mitigation

The Satori Team continues to monitor this threat and will identify any emerging adaptations and new apps. We recommend removal of any apps identified in Appendix A.

The threat actors are upping the game as seen in this analysis, using a multi-stage payload process to evade detection and get their malicious code to render. Given it is unrealistic that users should reverse engineer every mobile app before installing it, here are some questions a user can ask to help identify potential fraudulent ones:

  • Do the reviews talk about ads popping up all the time?
  • Do the reviews talk about the app disappearing or being unable to uninstall it?
  • Do the reviews have a lot of complaints that the app doesn't work as advertised?
  • Are there a lot of 5-star reviews but the recent reviews are mostly 1-star?
  • Does the app publisher have a lot of downloads in a very short amount of time?

If the answer is yes to any of the above, then it might be bogus.

 

Appendices

Appendix A: Apps Containing the Malicious SDK

(All of the apps have been removed from the Google Play Store.)

 

Appendix B: Domains Sharing the Same CNAME Parent Domain

The CNAME for the hard-coded domain found in the Square Photo Blur app (ruanfan[.]co) is ruanfan.co.w.kunlunsl[.]com. These are other subdomains mapped to this CNAME.

TAGGED: Research & Detection