Nearly two dozen Android flashlight and related utility apps were removed from the Google Play marketplace after researchers found a malicious advertising component dubbed “LightsOut” inside them. In total, the apps were downloaded between 1.5 and 7.5 million times.
Security researchers at Check Point researcher discovered the family of malicious apps that “generated illegal ad revenue” via tricking users into viewing and clicking on ads displayed on their mobile phones.
“As some users noted, they were forced to press on ads to answer calls and perform other activities on their device,” wrote Check Point in a blog post outlining its research on Friday. “Indeed, another user reported that the malicious ad activity continued even after he purchased the ad-free version of the app.”
Check Point researchers discovered the apps in November on Google Play and within a week of notifying Google of the malicious activity all 22 apps were removed. The oldest of the apps booted first appeared on Google Play in Sept. 2017.
Researchers said developers used the malicious APKs, identified as Solid SDKs, and malicious code called LightsOut in a wide range of Android utility applications. The most popular was a smartphone call recording app downloaded 5 million times and an app that saved wifi login credentials, which was downloaded 500,000 times.
Researchers suspect the malicious app developers were able to trick Google Play Protect, which scans both new and existing apps for malware, spyware, and trojan viruses, because each of the apps’ permissions were transparent to the user when installing.
“LightsOut is seemingly legitimate since it requests permissions from the user to provide different services, and allows him to approve or disapprove these services and accompanying ads,” researchers wrote.
However, what victims didn’t anticipate was LightsOut’s ability to use scripts to override a user’s decision to disable