Video: Android: A development headache you can't ignore
Up to 7.5 million Android users could have fallen victim to malware that posed as a series of flashlight and other utility apps downloaded from the official Google Play Store.
Dubbed LightsOut by the researchers at Check Point who discovered the malicious apps, the adware was hidden in 22 apps in the Play Store, which in total have been downloaded somewhere between 1.5 million and 7.5 million times.
The purpose of the malware was to generate ad revenue by repeatedly displaying pop-up adverts in ways which forced the user to click them before they could continue using their device. For example, users were forced to press on adverts before ending calls and accessing other apps.
Applications carrying LightsOut also hid themselves from the user in an effort to ensure they couldn't be easily uninstalled and thus continue to generate revenue for the attackers.
LightsOut functions by embedding its malicious capabilities inside the app and appears to only extract the ability to display adware once the application has been installed and run on a device. The script contains two malicious capabilities which are both triggered by a command and control server once the app is active.
The first hides the icon after the app is launched for the first time, making it harder to uninstall the malicious app.
The second capability is that LightsOut appears to offer users the option to turn off adverts. However, even if the user says they don't want adverts displayed, they'll still find themselves targeted by intrusive pop-ups in situations including making calls, connecting to wi-fi, plugging in a charger, and locking the screen.
By presenting adverts while the app isn't apparently being used, the attackers are trying to confuse the victim and disassociate the malicious activity from the app -- another attempt to prevent it being uninstalled.
While the Play Store's verification process is designed to keep malicious apps from becoming available to users, they've regularly been known to slip through the net as attackers find methods to bypass protections.
"One is uploading only a benign 'bridgehead' app with no malicious functionality in it. Only after the app is installed on a real device does it retrieve the malicious components from its command and control server," a Check Point spokesperson told ZDNet.
"The other is different malware presenting intentional evasion techniques, which delay the malicious activity or try to evade virtual inspection, as done by Google Play's protections. Google scrutinizes apps only for a short term, which means it can miss some of the malware's actions," they added.
Malicious applications distributing LightsOut included Realtime Cleaner, Call Recorder Pro, Smart Flashlight, Cool Flashlight, Flashlight Pro, Network Guard, and more. Check Point reported all 22 applications to Google, which has now removed them from distribution via the Play Store.
"We take the safety of our users very seriously," a Google spokesperson told ZDNet.
Recent and related coverage
36 apps posing as tools to keep users safe from attacks were actually installing malware on user's devices.
Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers.
Google's Android security bulletin for December includes a number of flaws that vendors will need to patch.
READ MORE ON CYBERCRIME
- Can Google win its battle with Android malware?
- This is the easiest way to prevent malware on your Android device [CNET]
- Fake WhatsApp app fooled million Android users on Google Play: Did you fall for it?
- New 'Marcher' malware attacks Android users' banking accounts [TechRepublic]
- This Android malware steals data from 40 apps, spies on messages and location
- IT leader's guide to the threat of fileless malware [Tech Pro Research]