Please Stop Installing Android Flashlight Apps

Security experts often use free flashlight apps when trying to explain some nuance of mobile security because there are so many of these apps out there, and many of them request far, far more of your personal information than necessary to illuminate a dark room. But this week, Malwarebytes pointed us toward a particularly nasty flashlight app that tries to take control of your phone.

Nefarious Flashlight
When the victim goes to install the flashlight app, it requests superuser access. Malwarebytes told us that the app also comes bundled with multiple rooting libraries. The practical upshot is that when it's installed, the app has far more control over your phone than the average app, or even the average user. Unsurprisingly, the app does not include any warnings—in the app or the stores where it's available—that it will be attempting to gain root access on your phone.

Once it's installed (and in control), the flashlight app goes to work and places shortcuts on the infected device's homescreen. According to Malwarebytes, tapping one of these triggers prompts to install other apps onto your phone. Given their origin, it's safe to assume that these aren't apps you'd want on your phone, either.
The nefarious flashlight app also takes steps to hide the presence of its app launcher, making it that much harder for users to simply uninstall it.

What's It Up To?
Generally, we're left to guess at what app authors were thinking when they created their malicious apps. It's almost always part of a money making scheme, but sometimes the monetization angle isn't very clear without inside knowledge. This time is different.

Malwarebytes reports that the flashlight app is part of a "pay-per-install scam." The flashlight app's author has likely partnered with affiliate programs to receive a payment each time one of the apps bundled with the flashlight app are installed on to a victim's phone. It's entirely possible that the affiliate isn't even aware that something untoward is happening.

If this sounds like a familiar scam, that's because it's part of what Lookout targeted with their recent war on adware.

Of course, good malware authors always try to take full advantage of the devices they infect. Why stop at one scam when you already have a toehold in someone else's device? Once the flashlight app is installed and has gained root access, there's little preventing the malware author from repurposing it for some other project. "Flashlight apps are often over-permissioned and filled with aggressive adware," said Malwarebytes security researcher Armando Orozco. "But this one can also root devices, potentially opening the door for other malicious activities."

Today, this app is pushing adware. Tomorrow, it could be using infected phones as part of a botnet or to spew SMS spam.

Staying Safe
Malwarebytes reports that this app appears to target English speakers, and is spread around numerous third party app stores. Links to the malicious app have also been spotted in forum posts and comment sections—which is not an unusual spammy tactic for app peddlers.

Fortunately, this makes avoiding this particular app easy: simply do not install any apps from outside Google Play. True, there are some unique and valuable apps that, for one reason or another, aren't on Google Play. But leave those for the experts. We believe that most users are better off sticking with Google Play for all their Android app needs.

Of course, sometimes Google misses something nasty. And even its automated protection service isn't infallible. To help guard against novel attacks, and the few apps that slip past Google's watchful eye, we recommend that Android users install a third-party security app on their Android devices.

Malwarebytes has an offering of its own, and we recommend Editors' Choice Bitdefender Mobile Security and Antivirus. Concerned about price? Not to worry; Editors' Choice avast! Mobile Security & Antivirus is completely free.

Lastly, be wary every time you go to install an app onto your Android phone. Even if the app isn't outrightly malicious, simple apps can sometimes be packed full of info-gathering tools. App creators sometimes use these to gather your personal information and then sell it to advertisers. Take a moment to read through the permissions each app requests, and if you're not comfortable with what it's requesting, search around for an alternative. Trust me, there are plenty of alternatives for Android apps. Or, in the case of a flashlight app, try to a find a phone that runs Android 5.1 and use the one built into the operating system.

New threats for Android phones, how do they work? Beware of your battery!

When buying a smartphone one of the first things we do is choosing an unlock pattern, trusting that by doing this our WhatsApp conversations will be protected from our nosy surroundings. If you are one of those who think that just one finger is able of drawing a complicated route on the screen, you are mistaken! Hacking an Android’s phone lock is easier than what you thought!

Digital thieves can reach even more. Not only can they get physically inside your phone, but they can also do it virtually or, using the phone’s microphone. Now they can even spy on you when the phone is turning off.

Those who trust that clicking on their smartphones “off” switch is enough to stop their contact with the outside world are in trouble. Virtual spies are able to remotely pull the strings, even so when the owner and his phone were sleeping. Security researchers have demonstrated how a Trojan for Android phones can make the users believe that they have turned it off as they usually do.

PowerOffHijack, the new malware, succeeds a very particular task: Hijacks the users’ shutdown process. When pressing the on/off button a fake dialog box appears making the users believe that their phone is turning off. Meanwhile, the malware is manipulating the operating system “system server” file.

The owner rests peacefully, even though the device is not at ease: the Trojan can make outgoing calls (even to foreigner numbers), make pictures and many other things without notifying the user. In China there have been more than 10.000 devices infected by this malware; it seems it expands via some apps.

In order to avoid this mocking Trojan we recommend you to pull out your battery so it doesn’t raise your phone bill to unsuspected limits. As much as the spies try, they are still not capable of controlling the phones without lithium. Another tip is to uninstall the apps that may have caused these silent thieves entry.

Although taking the battery off and putting it back on can resolve the Power Off Hijack issue, some hackers are using the battery’s internal information to spy mobile phones. Researchers of Stanford University together with a group of Israelis experts have developed Power Spy, a new technology that gathers the Android phone’s geolocation, even when the GPS is turned off. How? Tracking the phone’s power consumption over time.

WiFi and GPS connections need the user’s permission in order to work, but the battery consumption data doesn’t. So the cyber criminals can track your phone with 90% accuracy, later using this location information as they please, being able to locating you at all times.

The researchers have proven Power Spy’s capacities in two Nexus phones. This program enabled them to locate the phone even if its owner wasn’t using it at the moment. Power Spy would access your phone without you knowing it. The issue is that you might be downloading it together with any app without noticing it.

“We show that measuring the phone’s aggregate power consumption over time completely reveals the phone’s location and movement”, says Yan Michalevsky, one of the researchers.

Fortunately this technology has its limitations: in order to work it needs predefined routes and to have already traveled along the route before. “If you take the same ride a couple of times, you’ll see a very clear signal profile and power profile,” says Michalevsky.  In addition the tracking accuracy increases if the phone has just  a few apps rather than in the ones with more, where power is used unpredictably.

Anyone can start spying on your phone in ways you would have never suspected. Security is not only needed in your desktop computer, it is essential in the tiniest corners of your phone.