LightsOut: Shining a Light On Malicious Flashlight Apps on Google Play

Check Point researchers have detected a new type of adware roaming Google Play, the official app store of Google. The suspicious scripts overrides the user’s decision to disable ads showing outside of a legitimate context, and then, in many of the apps, hides its icon to hinder efforts to remove it. This is a purely malicious activity, as it has no other possible purpose other than eluding the user.


Dubbed ‘LightsOut’, the code hid itself in 22 different flashlight and utility apps, and reached a spread of between 1.5 million and 7.5 million downloads. Its purpose? To generate illegal ad revenue for its perpetrators at the expense of unsuspecting users.


The deception was far reaching in its disruption to the user. Some users noted that they were forced to press on ads to answer calls and perform other activities on their device. Indeed, another user reported that the malicious ad activity continued even after he purchased the ad-free version of the app, taking the abuse to a whole new level.


Check Point notified Google about all these apps, who soon removed them from the Google Play store.


How It Works

As shown in our video, the malicious app offers the user a checkbox, as well as a control panel, in which they can enable or disable additional services, including the displaying of ads. The events that will trigger ads are any Wi-Fi connection, the ending of a call, a plugged in charger or the screen being locked.


However, if the user chooses to disable these functions, ‘LightsOut’ can override the user’s decision and continue to display ads out of context. Since the ads are not directly connected to LightsOut’s activity, the user is unlikely to understand what caused them, and even if he does he won’t be able to find the app’s icon and remove it from his device.


Main Takeaways:

Despite the vast investment Google has recently made in the security of their App Store, ‘LightsOut’ reminds us once again that users need to be wary of downloading from App Stores and are advised to have a ‘Plan B’ in the form of an advanced mobile threat defense solution that goes beyond anti-virus. Many users are still unaware of the dangers lurking for them, and continue to install apps such as fishy flashlights.


Many users are still unaware of the dangers lurking for them, and continue to install apps such as fishy flashlights, putting them at risk of making their winter months even darker.


Learn more:

For more details on how this malicious mobile app malware works, visit our Research Blog.

For more details on how to secure your phone, take a look at SandBlast Mobile, our mobile security solution, boasting the industry’s highest threat catch rate on iOS and Android.