Skip to content
Guerilla apps
Naked Security Naked Security

Watch out: photo editor apps hiding malware on Google Play

Innocent-looking apps with ad clicker malware have bypassed Google's safeguards

Thanks to Chen Yu of SophosLabs for her research.

SophosLabs has discovered apps in Google Play harbouring Guerilla ad clicker malware.
The malware, identified by Sophos as Andr/Guerilla-D, found its way on to Google Play during March and April 2018, in innocent-looking photo editor apps.
Guerilla ad clicker
SophosLabs detected the malware in a total of 25 apps, all of which have been reported to Google.
Sadly, it’s not the first time this malware has made it past Google’s Android app review process and into the walled garden of Google Play. Earlier this year SophosLabs alerted Google to the presence of more than a dozen malicious apps and published a report about Guerilla malware targeting Android users.
The apps harbouring the Guerilla malware work – they really are games, flashlight apps or photo editors – but while they’re doing what you’d expect, they’re also doing something you wouldn’t: contacting remote servers and receiving instructions to download malicious JAR (Java Archive) files.
That extra Java code generates fraudulent ad revenue for the app developers by making the phone click on Google ads in the background, without users realising.

The new batch of Guerilla apps display a few technical differences from those removed from Google Play earlier this year.
Like the earlier apps, the latest ones hide their payloads in their asset folders as text files. This time around the apps use the filenames atop.txt or atgl.txt.
In an apparent effort to avoid detection, the JAR files now arrive encrypted, with the DES algorithm, and are decrypted on the phone.
Guerilla decryption
The affected packages are:

Title Package Name Downlaods Publisher
Ladies World com.channe.ladiesworld 50000+ Chenxy
Happy photos com.flower.hphoto 50000+ chandrahegang
Beauty camera 1000+ bai xiongshu
S-PictureEditor com.aeapp.utli.edit 50000+ bai xiongshu
Collage maker 2018 com.YtApp.collage.edit 100000+ bai xiongshu
Gallery com.Aeapp.gaIlery.pls  5000+ bai xiongshu
Collage Maker 100000+ bai xiongshu
S Photo Plus 100000+ LiaoAny
CollagePlus com.aml.tpho.edit 100000+ LiaoAny
Photo Studio 10000+ elaine.wei
Collage Studio 5+ elaine.wei
Photo Studio Plus com.uil.cls.edit 10000+ elaine.wei
Collage Studio Pro com.old.clo.pic 10+ elaine.wei
Hot Chick com.ndun.hotchick 10000+ Sunshine Fun
Popular video 5000+ Phoenix bird Tech Limited
Music play 1000+ Jiangxi Huarui Network technology company
Photo collage edit 10+ Jiangxi Huarui Network technology company
Pic collage com.UIApp.pic.collage 50+ Jiangxi Huarui Network technology company
Super Photo Plus com.HwA.slp.photopls 1+ kowloon
Bees collage com.HwA.bee.pisc kowloon
Superb Photo kowloon
Sweet Collection com.zwws.sweetcollection 10000+ TopFun Families
Pic collage 5+ Shenzhen coronation plus Technology Co.. Ltd.
K music 10+ Shenzhen coronation plus Technology Co.. Ltd.

What to do?

In all areas of cybersecurity we recommend a strategy of defence in depth.
The safest place to get your Android apps is still Google Play. Although malware is found there fairly regularly, it’s still news when it happens. Google Play isn’t perfect but it’s a far safer environment than other, unregulated, app repositories.
Because no app review process can ever be perfect, we recommend running security software on your phone too, such as Sophos’s free Sophos Mobile Security for Android.

Update 2018-05-14

Google have removed all 25 apps from Google Play.


My favorite malware distribution site.
(standard question) did they notify any of the people that downloaded these apps from them?


Is this only android devises what about mac apps?


This malware family is only for Android.
Apple’s App Store hasn’t been entirely immune from dodgy apps (see link below), but they’ve been few and far between compared to malware on Google Play.


There’s a new one. 360° photo editor. Where can we report other malware?


If you’d like to let SophosLabs know so that someone can look at the sample and deal with it accordingly (including reporting to Google if needed), you can do so via email or the web:


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!