If you’re thinking of downloading a handy flashlight app for your phone, beware: Check Point researchers have detected a new type of adware roaming Google Play, the official app store of Google, hidden in 22 different flashlight and utility apps.
Dubbed ‘LightsOut’, the adware code reached a spread of between 1.5 million and 7.5 million downloads. Its purpose was to generate illegal ad revenue for its perpetrators at the expense of unsuspecting users. It overrides the user’s decision to disable ads showing outside of a legitimate context, and then, in many of the apps, hides its icon to hinder efforts to remove it. This is a purely malicious activity, as it has no other possible purpose other than eluding the user.
The deception was far-reaching in its disruption to the user. Users noted that they were forced to press on ads to answer calls and perform other activities on their device. Users also reported that the malicious ad activity continued even after purchasing the ad-free version of the app, taking the abuse to a whole new level.
Check Point notified Google about all these apps, who soon removed them from the Google Play store.
How it works
LightsOut embeds the malicious ‘Solid SDK’ inside seemingly legitimate flashlight and utility apps. The script has two malicious capabilities, which are both embedded in most samples found, and are triggered by the Command and Control server. The first is hiding its icon when the app is launched for the first time, making it much harder for a user to remove. This is a purely malicious activity, as it has no other possible purpose other than eluding the user.
The malicious app offers the user a checkbox, as well as a control panel, in which they can enable or disable additional services, including the displaying of ads. The events that will trigger ads are any Wi-Fi connection, the ending of a call, a plugged in charger or the screen being locked.
However, if the user chooses to disable these functions, ‘LightsOut’ can override the user’s decision and continue to display ads out of context. Since the ads are not directly connected to LightsOut’s activity, the user is unlikely to understand what caused them, and even if they do, they won’t be able to find the app’s icon and remove it from their device.
App stores have their own security measures – indeed, Google has recently pushed significant initiatives in improving Google Play’s security – but users need to realize that they need their own security measures, too. Whether it’s Google Play or Google Cloud, providers like Google share a co-equal role with the user on cyber security. Without a mobile anti-virus, users are entering app stores without a Plan B against these fishy apps.
The full list of apps containing the adware is:
Realtime Cleaner
Call Recorder Pro
Call Recording Manager
Smart Swipe
Wallpaper HD -Background
WiFi Network
Smart Flashlight
Call Recorder
Cool Flashlight
Master WiFi Key
Flashlight Pro
Dr. Clean Lite
Network Guard
LED Flashlight
Almighty Flashlight
Free WiFi Connect
Smart Free WiFi
New Flashlight
Voice Recorder Pro
FileTransfer Pro
Free WiFi Pro
Realtime Booster
Full details will be published on https://blog.checkpoint.com today.w2
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.