Android users are being warned about Google Play Store apps downloaded millions of times that are loaded with malicious software.
There are over two billion active devices running Android each and every month around the world.
And the huge Android user base has been subject to a number of high profile security alerts, the biggest of which being the Judy malware campaign.
This affected up to 36.5million Android devices and was spread via the official Google Play Store app marketplace.
And once again Android users have been put on alert about a malware threat that was spread via the Google Play Store.
Security researchers at SophosLabs discovered 22 Google Play Store apps that were loaded with malware which drained the battery of victims’ smartphones.
This malware also downloaded files onto an Android device without a victims’ consent.
In total these apps were downloaded more than two million times, with one app – Sparkle Flashlight – downloaded alone over a million times.
Security researchers said the Sparkle Flashlight app was updated in March this year and afterwards contained a hidden file downloader.
This worked without a victim’s knowledge and could download files from external servers without consent and also click on hidden adverts.
This helped criminals behind the Android attack generate revenue.
In a post online, Sophos said: “Mobile platform fan-favouritism aside, there is a distinct difference between the worlds of Android and iOS mobile devices: Advertisers will pay a premium to reach the supposedly deep-pocket owners of Apple phones and tablets.
“As clickfraud grows as a revenue stream for unscrupulous mobile app developers, it turns out that it pays well to lie about what kind of mobile device is fraudulently clicking those ads.
“So when SophosLabs stumbled into a stockpile of 22 mobile apps that, until last month, had been hosted in the Google Play Market and collectively downloaded more than 2 million times, the biggest surprise for us was not that the clickfraud had gone on, unnoticed, in some cases for months or years, but that these Android apps were posing as Apple devices to advertisers, possibly in order to earn a premium return on their criminal activity.
“Three of the apps dated back at least a year, and one of them (a flashlight app) had been downloaded at least a million times, but the majority of these malicious apps were created during or after June, 2018.
“The three oldest apps didn’t start out evil, but they seem to have been Trojanized with the clickfraud code added into the apps at around the same time, in June.”
Sophos said that Google has now removed the offending apps from the Play Store and they could no longer be downloaded.
However, they said the offending infrastructure for the Android trojan remains active.
They said: “Google took action and removed the apps from the Play Market during the week of November 25th.
“The apps can no longer be downloaded from the official Google store, but the C2 infrastructure remains active.
“Apps from this collection that remain installed on devices may still be delivering a constant revenue stream to the apps’ creators by continuing to defraud advertising networks.”