Nearly two dozen Android flashlight and related utility apps were removed from the Google Play marketplace after researchers found a malicious advertising component dubbed “LightsOut” inside them. In total, the apps were downloaded between 1.5 and 7.5 million times.
Security researchers at Check Point researcher discovered the family of malicious apps that “generated illegal ad revenue” via tricking users into viewing and clicking on ads displayed on their mobile phones.
“As some users noted, they were forced to press on ads to answer calls and perform other activities on their device,” wrote Check Point in a blog post outlining its research on Friday. “Indeed, another user reported that the malicious ad activity continued even after he purchased the ad-free version of the app.”
Check Point researchers discovered the apps in November on Google Play and within a week of notifying Google of the malicious activity all 22 apps were removed. The oldest of the apps booted first appeared on Google Play in Sept. 2017.
Researchers said developers used the malicious APKs, identified as Solid SDKs, and malicious code called LightsOut in a wide range of Android utility applications. The most popular was a smartphone call recording app downloaded 5 million times and an app that saved wifi login credentials, which was downloaded 500,000 times.
Researchers suspect the malicious app developers were able to trick Google Play Protect, which scans both new and existing apps for malware, spyware, and trojan viruses, because each of the apps’ permissions were transparent to the user when installing.
“LightsOut is seemingly legitimate since it requests permissions from the user to provide different services, and allows him to approve or disapprove these services and accompanying ads,” researchers wrote.
However, what victims didn’t anticipate was LightsOut’s ability to use scripts to override a user’s decision to disable ads. “If the user disabled the ads, a command-and-control server (http[:]//cloudzad[.]com) directed the malware to display an ad anyway,” wrote researchers.
Those bitten by the malware were bombarded with ads that displayed outside of the context of the apps downloaded. In one example of malicious behavior, ads are displayed at the end of a phone call. Ads were also triggered when new wifi connections were discovered, when a user plugged their phone into a charger or the device’s screen lock was engaged.
To avoid users deleting the ad-generating apps, in many cases, the malicious developer designed the utilities to hide their icons to thwart removal.
What made LightsOut more sneaky than similar types of adware, said Daniel Padon, mobile threat researcher, at Check Point Software, was the app’s disappearing icon and the fact the apps acted in a seemingly legitimate manner. “Security solutions without advanced context analysis would have a difficult time spotting the wrongdoings,” Padon said.
Over the past year Google has made strides to shore up the Android ecosystem, from the Google Play marketplace to devices themselves. Despite those gains, reports of malware making it into Google’s marketplace continue.
Last year Google removed a phony adware-laced WhatsApp download from Google Play that was downloaded more than one million times. In March, Google booted more than a dozen apps from the Google Play store after researchers discovered each were rip-offs of legitimate apps and designed to aggressively push ads on Android devices. In August, three messaging apps in the Google Play store contained spyware called SonicSpy were also removed.