Malicious Code in Photo-Utility AppsStrikingly, all of the apps highlighted in the recent Symantec report belong to the beauty/fashion and photo utility categories. Although these apps were delivered via the account of 22 developers, all 25 apps of them share more or less the same content and code structure. The security experts at Symantec believe this could be a sign that all these developers are part of an organizational group. The only other plausible explanation would be that they built these apps using the same source codebase. The apps themselves were relatively new, with the oldest of them having been uploaded only in April 2019. However, that doesn’t necessarily mean that the techniques they used to bypass Google Play Protect are also new (or have not been replicated in other apps since). A list featuring all 25 malicious apps can be found at the end of this report.
Here’s How These Apps Affected Victim DevicesThe apps were designed such that they could install just like any regular app, only to change behavior drastically afterward to push fullscreen advertisements at random intervals. Not only users were not given any chance to opt-out, but they also couldn’t even pinpoint the source of the intrusive ads as they didn’t carry the app title on the window. The ads continued to flood the screen even when the app was not in use.
The apps could successfully evade the Play Store’s scrutiny as the developers made sure not to hardcode the malicious functions into the original Android Package Kits (APKs). Instead, they would covertly download a remote configuration file via a third-party service without alerting the user. Once downloaded, the configuration file would inject several configurations including those that can alter the device’s ad-displaying behavior. The apps also encoded and encrypted certain keywords in the malicious code using initialization vectors and encryption keys. This gave them virtual immunity from anti-malware scans on the host device. Besides, the apps also removed their icons from the home screen — possibly in an attempt to make the user forget about their presence on the device. At least some of developers managed to push the apps to the top trending apps in their respective categories, which would explain how they could bag so many downloads within a relatively short period. Meanwhile, the developers behind at least one of these apps made two versions of the same app — one clean and the other with the malicious functions. While the clean app managed to trend in the top-charts, the developers probably hoped that many users would mistakenly download the other app with the malicious functions.
Our researchers exposed malware hiding in popular photo editing apps. Get the details. https://t.co/81pWsCwhlY— Symantec (@symantec) September 23, 2019
The 25 Malicious Apps and Their DevelopersWhile the Symantec report only names the package codes, the app titles associated with these packages are:
- Image Blur Editor New (Kulomylong)
- Auto Blur Photo (Burnerfock)
- Blur Image Pro (Fisher Dev)
- Cut Paste Photo Editor S (Kenneth Ortiz)
- Face Feature (Fater Dev)
- Fashion Hairstyles Pic Editor (Goveroy Dev)
- Image Blur Editor Free (Setperal)
- Image Blur Editor Unlimited (Kensendy)
- Photo Cut Studio Professional (WWL Dev)
- Smoke Name Art (Magicalla Studio)
- Fashion Hairstyles Pic Editor 2019 (Digtal Dev)
- Latest Hairstyles Free (Lyynforture)
- Photo Collage Maker (Lyynforture)
- Cut Paste Photo Editor X (Superjunia)
- Blur Image Plus (Past Dev)
- Auto Cut Out Pro (OOI Dev)
- Background Cut Out Pro (Richard Media Studio)
- Hairstyles Photo Editor Plus (FFmore Dev)
- Auto Cut Out Free (Sistermopub)
- Motion On Picture (Sistermagci)
- Pop Color Effect (Pumana Dev)
- SkyCamera for 2019 (HCamera Studio)
- Photo Background Editor Pro (Flydog Dev)
- Blur Image Plus 1.0 (Past Dev)
- Photo Blur Background Maker 2019 (Goulmook Dev)
Images are courtesy of Twitter, Pixabay, Shutterstock.
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.