Android security: Flashlight apps on Google Play infested with adware were downloaded by 1.5m people

Android users looking for simple tools found their devices infected with aggressive LightsOut adware.
Written by Danny Palmer, Senior Writer

Video: Android: A development headache you can't ignore

Up to 7.5 million Android users could have fallen victim to malware that posed as a series of flashlight and other utility apps downloaded from the official Google Play Store.

Dubbed LightsOut by the researchers at Check Point who discovered the malicious apps, the adware was hidden in 22 apps in the Play Store, which in total have been downloaded somewhere between 1.5 million and 7.5 million times.

The purpose of the malware was to generate ad revenue by repeatedly displaying pop-up adverts in ways which forced the user to click them before they could continue using their device. For example, users were forced to press on adverts before ending calls and accessing other apps.

See: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

Applications carrying LightsOut also hid themselves from the user in an effort to ensure they couldn't be easily uninstalled and thus continue to generate revenue for the attackers.

LightsOut functions by embedding its malicious capabilities inside the app and appears to only extract the ability to display adware once the application has been installed and run on a device. The script contains two malicious capabilities which are both triggered by a command and control server once the app is active.


Millions of users have potentially installed malware when they thought they were getting tools like flashlights.

Image: Getty

The first hides the icon after the app is launched for the first time, making it harder to uninstall the malicious app.

The second capability is that LightsOut appears to offer users the option to turn off adverts. However, even if the user says they don't want adverts displayed, they'll still find themselves targeted by intrusive pop-ups in situations including making calls, connecting to wi-fi, plugging in a charger, and locking the screen.

By presenting adverts while the app isn't apparently being used, the attackers are trying to confuse the victim and disassociate the malicious activity from the app -- another attempt to prevent it being uninstalled.

While the Play Store's verification process is designed to keep malicious apps from becoming available to users, they've regularly been known to slip through the net as attackers find methods to bypass protections.

"One is uploading only a benign 'bridgehead' app with no malicious functionality in it. Only after the app is installed on a real device does it retrieve the malicious components from its command and control server," a Check Point spokesperson told ZDNet.

"The other is different malware presenting intentional evasion techniques, which delay the malicious activity or try to evade virtual inspection, as done by Google Play's protections. Google scrutinizes apps only for a short term, which means it can miss some of the malware's actions," they added.

Malicious applications distributing LightsOut included Realtime Cleaner, Call Recorder Pro, Smart Flashlight, Cool Flashlight, Flashlight Pro, Network Guard, and more. Check Point reported all 22 applications to Google, which has now removed them from distribution via the Play Store.

"We take the safety of our users very seriously," a Google spokesperson told ZDNet.

Recent and related coverage

Phoney Android security apps in Google Play Store found distributing malware, tracking users

36 apps posing as tools to keep users safe from attacks were actually installing malware on user's devices.

Android security triple-whammy: New attack combines phishing, malware, and data theft

Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers.

Android security alert: Google's latest bulletin warns of 47 bugs, 10 critical

Google's Android security bulletin for December includes a number of flaws that vendors will need to patch.


Editorial standards