Security experts often use free flashlight apps when trying to explain some nuance of mobile security because there are so many of these apps out there, and many of them request far, far more of your personal information than necessary to illuminate a dark room. But this week, Malwarebytes pointed us toward a particularly nasty flashlight app that tries to take control of your phone.
When the victim goes to install the flashlight app, it requests superuser access. Malwarebytes told us that the app also comes bundled with multiple rooting libraries. The practical upshot is that when it’s installed, the app has far more control over your phone than the average app, or even the average user. Unsurprisingly, the app does not include any warnings—in the app or the stores where it’s available—that it will be attempting to gain root access on your phone.
Once it’s installed (and in control), the flashlight app goes to work and places shortcuts on the infected device’s homescreen. According to Malwarebytes, tapping one of these triggers prompts to install other apps onto your phone. Given their origin, it’s safe to assume that these aren’t apps you’d want on your phone, either.
The nefarious flashlight app also takes steps to hide the presence of its app launcher, making it that much harder for users to simply uninstall it.
What’s It Up To?
Generally, we’re left to guess at what app authors were thinking when they created their malicious apps. It’s almost always part of a money making scheme, but sometimes the monetization angle isn’t very clear without inside knowledge. This time is different.
Malwarebytes reports that the flashlight app is part of a “pay-per-install scam.” The flashlight app’s author has likely partnered with affiliate programs to receive a payment each time one of the apps bundled with the flashlight app are installed on to a victim’s phone. It’s entirely possible that the affiliate isn’t even aware that something untoward is happening.
If this sounds like a familiar scam, that’s because it’s part of what Lookout targeted with their recent war on adware.
Of course, good malware authors always try to take full advantage of the devices they infect. Why stop at one scam when you already have a toehold in someone else’s device? Once the flashlight app is installed and has gained root access, there’s little preventing the malware author from repurposing it for some other project. “Flashlight apps are often over-permissioned and filled with aggressive adware,” said Malwarebytes security researcher Armando Orozco. “But this one can also root devices, potentially opening the door for other malicious activities.”
Today, this app is pushing adware. Tomorrow, it could be using infected phones as part of a botnet or to spew SMS spam.
Malwarebytes reports that this app appears to target English speakers, and is spread around numerous third party app stores. Links to the malicious app have also been spotted in forum posts and comment sections—which is not an unusual spammy tactic for app peddlers.
Fortunately, this makes avoiding this particular app easy: simply do not install any apps from outside Google Play. True, there are some unique and valuable apps that, for one reason or another, aren’t on Google Play. But leave those for the experts. We believe that most users are better off sticking with Google Play for all their Android app needs.
Of course, sometimes Google misses something nasty. And even itsautomated protection service isn’t infallible. To help guard against novel attacks, and the few apps that slip past Google’s watchful eye, we recommend that Android users install a third-party security app on their Android devices. Malwarebytes has an offering of its own, and we recommend Editors’ Choice Bitdefender Mobile Security and Antivirus. Concerned about price? Not to worry; Editors’ Choice avast! Mobile Security & Antivirus is completely free.
Lastly, be wary every time you go to install an app onto your Android phone. Even if the app isn’t outrightly malicious, simple apps can sometimes be packed full of info-gathering tools. App creators sometimes use these to gather your personal information and then sell it to advertisers. Take a moment to read through the permissions each app requests, and if you’re not comfortable with what it’s requesting, search around for an alternative. Trust me, there are plenty of alternatives for Android apps. Or, in the case of a flashlight app, try to a find a phone that runs Android 5.1 and use the one built into the operating system.