Google booted a number of apps from its online store that fooled people into believing they were helpful services, like flashlights and call recording apps, while spreading malware.
Cybersecurity company Check Point Software revealed the findings on Friday after discovering the fraudulent apps in November and notifying Google (GOOG), which promptly removed the software from the Google Play store, said Check Point security researcher Daniel Padon. Although Check Point routinely notifies the search giant of malicious apps it discovers on the Google Play store in private, it will publicly reveal more egregious forms of malware that the company believes warrants more attention, he explained.
Padon estimates that the malware, called LightsOut because if affects several flashlight apps, has been downloaded between 1.5 million to 7.5 million times. He based those numbers on publicly available download estimates from Google Play on each of the 22 different affected apps.
To trick people into installing the shady software, hackers gave the apps legitimate sounding names like “Voice Recorder Pro,” “WiFi Password Pro,” “Super Flashlight Lite,” and “Brightest LED Flashlight-Pro.”
Once downloaded and opened by users, the apps display a “settings” screen in which people can choose for the software to display online advertising. But this choice is merely an illusion, since the apps can be controlled from outside servers to display unwanted ads, Padon said.
The deceiving apps then disappear from people’s home screens, making them hard to remove for those without technical skills.
“My mother was infected by a similar adware once,” Padon recalled of older phony phantom apps. “She didn’t understand how to remove it in the first place.”
Get Data Sheet, Fortune’s technology newsletter.
A number of actions can cause unwanted ads to display on screens, including ending a phone call, locking the screen, or even plugging in a phone charger.
Although the malware does not represent a “significant step forward” in technical complexity, it highlights “another step in the way adware manages to infiltrate Google Play,” said Padon.
LightsOut shows that hackers “are becoming more sophisticated in the way they are managing to bypass Google Plays’ detections and continue to serve fraudulent ads,” he said.
Padon praised Google’s (GOOG) overall security efforts in filtering shady apps from Google Play, especially so-called ransomware, in which the apps, once downloaded, can immediately block people from accessing their smartphone or scramble their documents unless they pay up.
What Google struggles in, however, is discovering apps that perform covert tasks over a period of time in order to remain undetected instead of immediately engaging in fraud or other nefarious activities. And hackers are increasingly distributing malicious apps in the Google Play store, Padon said.
Based on Check Point’s research, and not counting similar efforts by other security vendors, Padon estimates that from 2016 through 2017, the amount of malware downloads “at the very least doubled” on Google Play. In 2017, Check Point estimated between 35.5 and 106 million malicious app downloads from Google Play, compared to 15.5 to 20.5 million malicious app downloads in 2016.
“It’s important to note that these numbers refer only to malware first discovered by Check Point, and do not include all malware we’ve detected, or malware detected by other vendors, so the total numbers probably exceed this by far,” he later added in an email.
Padon recommends that Android phone users install some form of security software on their smartphones that can screen for bad apps. People should generally avoid installing flashlight apps too, because they appear to be a common way that hackers routinely spread malware.
“I can’t really think of a good reason to install a flashlight app, but people continue to do so,” said Padon. “It is the cliché that keeps on giving.”
