Security researchers have detected 29 Android applications that harbor malware and have garnered at least 3.5 million downloads.

These rogue apps, discovered by cybersecurity firm White Ops, bombarded users with intrusive ads, did not perform their intended functions, and were nearly impossible for users to remove because the app's launch icon would suddenly disappear.

In a blog post, a researcher with White Ops' Satori Threat Intelligence stated that he encountered the malicious apps while searching for threats and noticed that the apps in question were "displaying suspiciously large amounts of ad traffic."

White Ops named the campaign ChartreuseBlur because most of these apps were photo editors with "blur" in the title. Researchers also questioned the legitimacy of the apps because of the developers' similar names.

"Square Photo Blur's developer name, "Thomas Mary," is almost certainly a fake," the researchers noted. All of the apps in the study have developer "names" that are common English names and seemingly random.

In addition, the majority of the apps received negative reviews in the Google Play store; White Ops noted that "many reported OOC [out-of-context] ads, suggesting that the apps are barely functional."

During the study, researchers analyzed an app called Square Photo Blur and noted that it was similar to other apps.

To avoid detection by Google Play's malware screener, the ChartreuseBlur app had a so-called three-stage payload evolution.

"In both stage 1 and stage 2, the code appears harmless, but if ad fraud is to take place, the app must render that code, which the Satori team discovered during stage 3," they explained.

In the first stage, the app uses the Qihoo packer as part of the installation process; as WhiteOpps noted, this is not unusual, as packers are often used to prevent piracy.

However, WhiteOpps noted that despite this, "all malicious activities, services, and broadcast receivers were declared in their manifestos."

The apps also used stubs. Stubs essentially serve as placeholders for developers to test their code; White Ops found that stubs were "used as a bridgehead for stage 2."

During Stage 2, the researchers stated that the Square Photo Blur app was "used as a wrapper for another Blur app."

However, the app would not be malicious at this point because the scammers want users to think the app is real.

In the third phase, things change quickly when "the malicious code is finally revealed. Whenever a user unlocks a device, puts the device on charge, or turns cellular data or Wi-Fi on or off, an ad appears.

All malicious apps have been removed from the Google Play Store, but White Ops has posted a list of app and package names.

Threat actors often develop mobile apps that appear legitimate but are actually loaded with malware. To protect yourself, you should only download apps from reputable sources, read reviews, and check the permissions the app wants to access.

It is also recommended that you use and install one of the best Android antivirus apps.