NEW YORK (CNNMoney) -- Those pesky pop-up ads from the '90s are back, but this time they're holding your smartphone hostage.
Tens of thousands of smartphone apps are running ads from rogue advertising networks that change smartphone settings and take contact information without permission, according to a new study released Monday.
Aggressive ad networks can disguise ads as text message notifications or app icons, and sometimes change browser settings and bookmarks. Often, the ads will upload your contacts list to the ad network's servers -- information the ad network can then sell to marketers.
Sounds scary? It's not a giant problem yet, but it's a growing one. As many as 5% of free mobile apps use an "aggressive" ad network to make money, according to Lookout, a San Francisco-based mobile security company.
With millions of mobile apps in stores, that small sliver adds up to a big number. The study found that 19,200 of the 384,000 apps it tested used malicious ad networks. Those apps have been downloaded a whopping 80 million times.
PhoneLiving is the most prevalent app developer to use these kinds of ad networks -- their dozens of talking animal apps have been downloaded 10 million times, according to Lookout. PhoneLiving could not be reached for comment, as its website -- aside from its homepage -- returns nothing but error messages.
The most popular type of apps that use aggressive ad networks are "personalization" apps, which include wallpapers. Comic, arcade and entertainment apps are also among the most likely to have rogue ad networks running behind the scenes.
Like aggressive pop-ups on PCs, the bad software isn't easy to shed. Though the damage can typically be reversed by deleting the app, it can be hard to pinpoint which app is causing the problems.
"Sometimes you download 10 apps at a time, so you don't know which is responsible," said Kevin Mahaffey, Lookout's CTO. "It's not unlike adware in the early PC days."
9 Scary Ways Criminals Use Facebook
Mobile Ads Can Hijack Your Phone and Steal Your Contacts
When criminals hack a Facebook account, they typically use one of several available "brute force" tools, says Grayson Milbourne, Webroot's manager of threat research for North America. These tools cycle through a common password dictionary, and try commonly used names and dates, targeting hundreds of thousands of different email IDs. Once hacked, an account can be used as a platform to deliver spam, or -- more commonly -- sold. Clandestine hacker forums are crawling with ads offering Facebook account IDs and passwords in exchange for money. In the cyber world, information is a valuable thing.
Commandeering occurs when a criminal logs on to someone else's account using an illegally obtained ID and password. Once online, they have the victim's entire friend list at their disposal and a trusted cyber-identity. The impostor can then run a variety of confidence schemes, such as the popular "London scam," in which the "friend" claims to be stranded overseas and in need of money to make it home. The London scam has a far higher success rate on Facebook -- and specifically on commandeered accounts -- because there is a baseline of trust between users and those on their friends lists.
Profile cloning is the act of using unprotected images and information to create a Facebook account with the same name and details of an existing user. The cloner then sends friend requests to all of the victim's contacts, who will likely accept them, as they appear to be from someone they know. Those accepted friend requests give the con artist access to his new "friends'" personal information, which can be used to clone other profiles or to commit fraud.
As Grayson Milbourne puts it, "Exploiting a person's account and posturing as that person is just another clever mechanism to use to extract information." Perhaps what's scariest about this kind of crime is its simplicity. Hacking acumen is unnecessary to clone a profile; the criminal simply needs a Facebook account.
Cross-platform profile cloning is when a cyber criminal obtains information and images from Facebook and uses them to create false profiles on another social-networking site, or vice versa.
Because the profile is often cloned to a social networking platform that the victim doesn't use, this kind of fraud may also take longer to notice and remedy.
Phishing on Facebook usually involves a hacker posing as a familiar individual or respectable organization, and asking for a user's personal data, usually via a wall post or direct message.
Often, users will be directed to click on a link. Once they do so, their computer may be infected with malware, or they may be directed to a website that offers a compelling reason to divulge sensitive information.
A classic example would be a site that congratulates its victims for having won $1,000 and prompts them to fill out a form to collect their prize -- a form that requests credit card, bank account or Social Security numbers, which can then be used by the fraudsters.
Also becoming increasing common, warns Milbourne: "spearphishing," a practice that uses the same basic idea but targets users through their individual interests.
In this common con, the scammers direct users via some sort of clickable enticement to a convincing, but spurious, Facebook log-in page. When the victims enter their usernames and passwords, they are collected in a database, to be used by the original scammer or resold to other criminals.
Once scammers have a user's login information, they can take advantage of the identity through apps like Facebook Marketplace. Posing as a reputable user lets the scammer capitalize on the trust that his victim has earned to sell fake goods and services, or promote brands they have been paid to advertise.
In affinity fraud, con artists assume the identities of people in order to exploit the trust of those close to them to steal money or information. Facebook facilitates this type of fraud because people on the social network often end up having a number of "friends" they actually do not know personally and yet implicitly trust.
Criminals can infiltrate a person's group of friends and then offer someone deals or investments that are part of a con. They can also assume an identity by hacking into a person's account and asking their friends to wire them money, or give them sensitive information like a Social Security or credit card number.
Few sites provide an easier source of basic personal information than Facebook. While it is possible to keep all personal information on Facebook private, users frequently reveal their email addresses, phone numbers, addresses, birth dates and other pieces of private data. As security experts and hackers know, this kind of information often finds its way into passwords or answers to "secret" security questions. While the majority of unprotected information is mined for targeted advertising, it can be a used for more pernicious ends such as profile cloning and, ultimately, identity theft.
Most mass email advertisements are legal, if annoying. However, the growth of social networking has allowed for a new kind of spam called clickjacking. Clickjacking uses an advertisement for a viral video or article as an inducement to click on a link. Once clicked, the link sends the user to a page that tricks them into taking actions that they don't realize they are doing, such as sending an advertisement to all their friends' walls, buying an item via a concealed page, or revealing personal data. This has become such an issue for Facebook that earlier this year, the company teamed up with the U.S. Attorney General to try to combat the problem.
When developers create free mobile apps, they usually make money through ads displayed within the app. That free version of Angry Birds didn't cost you anything because of the pop-up ad that appears right as you're catapulting the red bird at its target.
The vast majority of ads run on well-known ad networks like Jumptap, Apple's (AAPL) iAd and Google's (GOOG) AdMob. They collect some information about their users, but they don't go to the extremes of uploading contact lists and changing settings.
The appeal of the ad networks that Lookout gently calls "aggressive" is that they generate more revenue for app developers.
Android ad network Airpush, for example, places ads in users' notification bars and home pages. That generates more clicks -- and more money for developers -- since even inactive users can view the ads.
Lookout has criticized Airpush in the past for being overly aggressive with its marketing techniques, but it remains the second-biggest ad network for Android devices. Airpush does give users the option of opting out of its push notification ads.
Airpush representatives did not respond to a request for comment.
App makers don't usually disclose what ad network they're using, which makes it hard to avoid the known offenders. The best defense is to read reviews and avoid downloading apps that have attracted a trail of complaints.
Lookout's Mahaffey says bad actors are more prevalent on Android phones than iPhones, because the Google Play app store has fewer restrictions and gatekeepers than Apple's iTunes app store.
But the iPhone isn't immune: Other ad networks Lookout considers aggressive include Moolah Media, Leadbolt and Mocean Mobile, all of which publish apps for both Android and iOS.
More from CNNMoney