‘LightsOut’: Malicious Flashlights Apps On Google Play

By   ISBuzz Team
Writer , Information Security Buzz | Jan 08, 2018 02:30 am PST

If you’re thinking of downloading a handy flashlight app for your phone, beware:   Check Point researchers have detected a new type of adware roaming Google Play, the official app store of Google, hidden in 22 different flashlight and utility apps.

Dubbed ‘LightsOut’, the adware code reached a spread of between 1.5 million and 7.5 million downloads.  Its purpose was to generate illegal ad revenue for its perpetrators at the expense of unsuspecting users.  It overrides the user’s decision to disable ads showing outside of a legitimate context, and then, in many of the apps, hides its icon to hinder efforts to remove it. This is a purely malicious activity, as it has no other possible purpose other than eluding the user.

The deception was far-reaching in its disruption to the user.  Users noted that they were forced to press on ads to answer calls and perform other activities on their device.  Users also reported that the malicious ad activity continued even after purchasing the ad-free version of the app, taking the abuse to a whole new level.

Check Point notified Google about all these apps, who soon removed them from the Google Play store.

How it works

LightsOut embeds the malicious ‘Solid SDK’ inside seemingly legitimate flashlight and utility apps. The script has two malicious capabilities, which are both embedded in most samples found, and are triggered by the Command and Control server.  The first is hiding its icon when the app is launched for the first time, making it much harder for a user to remove. This is a purely malicious activity, as it has no other possible purpose other than eluding the user.

The malicious app offers the user a checkbox, as well as a control panel, in which they can enable or disable additional services, including the displaying of ads. The events that will trigger ads are any Wi-Fi connection, the ending of a call, a plugged in charger or the screen being locked.

However, if the user chooses to disable these functions, ‘LightsOut’ can override the user’s decision and continue to display ads out of context. Since the ads are not directly connected to LightsOut’s activity, the user is unlikely to understand what caused them, and even if they do, they won’t be able to find the app’s icon and remove it from their device.

App stores have their own security measures – indeed, Google has recently pushed significant initiatives in improving Google Play’s security –  but users need to realize that they need their own security measures, too.  Whether it’s Google Play or Google Cloud, providers like Google share a co-equal role with the user on cyber security.  Without a mobile anti-virus, users are entering app stores without a Plan B against these fishy apps.

The full list of apps containing the adware is:

Realtime Cleaner

Call Recorder Pro

Call Recording Manager

Smart Swipe

Wallpaper HD -Background

WiFi Network

Smart Flashlight

Call Recorder

Cool Flashlight

Master WiFi Key

Flashlight Pro

Dr. Clean Lite

Network Guard

LED Flashlight

Almighty Flashlight

Free WiFi Connect

Smart Free WiFi

New Flashlight

Voice Recorder Pro

FileTransfer Pro

Free WiFi Pro

Realtime Booster

Full details will be published on https://blog.checkpoint.com today.w2