Video: Android: A development headache you can't ignore
Up to 7.5 million Android users could have fallen victim to malware that posed as a series of flashlight and other utility apps downloaded from the official Google Play Store.
Dubbed LightsOut by the researchers at Check Point who discovered the malicious apps, the adware was hidden in 22 apps in the Play Store, which in total have been downloaded somewhere between 1.5 million and 7.5 million times.
The purpose of the malware was to generate ad revenue by repeatedly displaying pop-up adverts in ways which forced the user to click them before they could continue using their device. For example, users were forced to press on adverts before ending calls and accessing other apps.
Applications carrying LightsOut also hid themselves from the user in an effort to ensure they couldn't be easily uninstalled and thus continue to generate revenue for the attackers.
LightsOut functions by embedding its malicious capabilities inside the app and appears to only extract the ability to display adware once the application has been installed and run on a device. The script contains two malicious capabilities which are both triggered by a command and control server once the app is active.
The first hides the icon after the app is launched for the first time, making it harder to uninstall the malicious app.
The second capability is that LightsOut appears to offer users the option to turn off adverts. However, even if the user says they don't want adverts displayed, they'll still find themselves targeted by intrusive pop-ups in situations including making calls, connecting to wi-fi, plugging in a charger, and locking the screen.
By presenting adverts while the app isn't apparently being used, the attackers are trying to confuse the victim and disassociate the malicious activity from the app -- another attempt to prevent it being uninstalled.
"One is uploading only a benign 'bridgehead' app with no malicious functionality in it. Only after the app is installed on a real device does it retrieve the malicious components from its command and control server," a Check Point spokesperson told ZDNet.
"The other is different malware presenting intentional evasion techniques, which delay the malicious activity or try to evade virtual inspection, as done by Google Play's protections. Google scrutinizes apps only for a short term, which means it can miss some of the malware's actions," they added.
Malicious applications distributing LightsOut included Realtime Cleaner, Call Recorder Pro, Smart Flashlight, Cool Flashlight, Flashlight Pro, Network Guard, and more. Check Point reported all 22 applications to Google, which has now removed them from distribution via the Play Store.
"We take the safety of our users very seriously," a Google spokesperson told ZDNet.