Cybercriminals have distributed malware to hundreds of thousands of Android users by hiding it inside a series of apparently harmless apps.
The malware was sneaked onto the Google Play store disguised as seven different apps -- six QR readers and one 'smart compass' -- and bypassed security checks by hiding its true intent with a combination of clever coding and delaying its initial burst of malicious activity.
Following installation, the malware waits for six hours before it begins work on its true purpose -- serving up adware, flooding the user with full screen adverts, opening adverts on webpages, and sending various notifications containing ad-related links.
All of this activity was designed with the intent of generating click-based revenue for the attackers -- even when the app itself isn't actively running.
The general purpose nature of the apps allowed the attackers to pull in a large number of downloads. Uncovered by researchers at SophosLabs, the malware dubbed Andr/HiddnAd-AJ, is thought to have infected at least a million users, and potentially many more, as one of the malicious apps was downloaded 500,000 times before being pulled by Google.
When one of the malicious apps is first run, it calls home for configuration information on a server controlled by those behind the scheme.
Crucially, in order to hide the nefarious nature of the download, no malicious operations are run on an infected device for the first few hours after installation. However, once a period of grace has passed, the configuration download from the server will run, providing a list of URLs, messages, icons, and links -- all for pushing ads onto the victim.
In addition to the malicious activity initially being hidden, the malware is helped by the code for the adware being embedded in what looks like a standard Android programming library within the files of the app.
In addition to the standard programming subcomponents of the app, the attackers add a 'graphics' section, which looks innocent, but contains instructions for getting all the information and files required for running malicious adverts.
Upon discovering the malicous apps, Sophos informed Google, which has now removed the apps from the Play Store.
Nonetheless, despite Google's failure to spot the malicious nature of these apps, Sophos recommends Android users stick to downloading apps from the Play Store -- because it's still safer than third-party Android app stores.
The official nature of the Play Store also means that if malicious apps slip through the cracks, users can help alert Google about the threat.
"If you find a dodgy app in the Play Store, it is worthwhile reporting it, on the computer security principle that an injury to one is an injury to all," Paul Ducklin, senior technologist at Sophos, told ZDNet.