Despite using machine learning to spot bad apps, Google let 50 of them into the Play Store, allowing the rogue programs to rack up 4.2 million downloads between them.
Google has now removed the apps, which enable fraudsters to make money by secretly sending messages to premium-rate SMS services and subscribing users to paid online services without their knowledge.
The apps were discovered by researchers at Check Point, who've dubbed the malware ExpensiveWall because one of the trojanized apps was called Lovely Wallpaper. The malware is a variant of malware found in a photography app discovered in January by McAfee.
Once ExpensiveWall-infected apps are installed, they acquire the device's phone number to subscribe to a range of paid services and carry out SMS fraud. One victim reported being charged €10 ($12) per month, according to a snapshot of reviews for one of the apps.
Google swiftly removed the apps after being notified by Check Point on Aug. 7. However, a few days later another ExpensiveWall app made it to the store and infected over 5,000 devices, according to Check Point.
The security company has provided a list of the infected apps on its website and advises users to remove them manually as they obviously may still be installed even though Google has removed from them from the store.
It's not clear when the apps became infected with ExpensiveWall, but some of the apps were uploaded to Google Play in 2015. Check Point suspects the apps are infected by software development kit called 'gtk,' which developers embed in apps themselves.
The most downloaded of the infected apps is called I Love Filter, the malware discovered in January. It was downloaded between one million and five millions times.
Other apps downloaded as much as a million times include X Wallpaper, Horoscope, and X Wallpaper Pro.
To avoid detection by Google's anti-malware, ExpensiveWall's developers used so-called 'packers', which encrypt or compress a malicious file to make analysis more difficult. The variant discovered earlier this year was not packed.
The malicious apps do request Android permissions to access SMS and internet access. If these are granted by the user, the apps will send the fraudsters key details about the device, including the MAC address, IP address, and unique device identifiers.
To subscribe to premium services and send SMS, the app opens an embedded webpage and runs a script that is capable of clicking on links in pages provided by ExpensiveWall's controllers.
According to Google's 2016 Android security report, SMS fraud apps account for 10 percent of all malicious apps distributed on Google Play and grew 282 percent compared with 2015.
Toll fraud, or fraudulent purchases charged to mobile phone accounts, made up two percent, but grew 593 percent year over year.
Google has had to remove dozens of infected apps from the Play Store in recent months including SpyDealer, SonicSpy, and Judy.
The malicious apps are a good reason to enable Google Play Protect on Android. All devices with Google Play installed have the feature. Users who don't have it enabled may soon find themselves being prompted by apps they install from Google Play to do so.
Google yesterday released a new SafetyNet Verify Apps API, which tells a developer whether a device their app is installed on is running Play Protect. It will also tell the developer whether any known malicious apps are currently installed.
This Android banking malware steals data by exploiting smartphone accessibility services
The notorious Svpeng malware takes advantage of an Android function designed to help people with disabilities use their phone.
CopyCat Android malware infected 14 million devices, rooted 8 million last year
The malware relies on old vulnerabilities to root devices.