Google has taken the knife to a family of malicious apps it's named Chamois, a type of mountain goat, which may have infected millions of Android devices.
Chamois is the latest attempt to hijack Android devices for large-scale mobile ad fraud. Others in the past year include Hummingbad, which infected 10 million devices at its peak, and earned its operators an estimated $300,000 a month through fraudulent ads on infected devices.
Each malware family can reside in several thousand malicious apps. Some of these may make it to Google Play, but most are distributed in third-party stores.
Google designates these apps as "potentially harmful" and combats them with Verify Apps, a security feature installed on all phones with the Google Play app, which can help users uninstall apps even if they're hidden. The feature recently helped it flag over 25,000 apps in the Hummingbad, Ghost Push, and Gooligan families.
Google says the recently discovered Chamois was "one of the largest PHA families seen on Android to date" and distributed through "multiple channels".
The Chamois ad fraud business relied on installed apps generating fake traffic through pop-up ads, automatically installing other apps in the background that were designed for premium SMS fraud. They also downloaded and executed additional plugins.
Users who installed the malicious apps are unlikely to have found it easy to remove them since they didn't appear in the device's app list.
Google says it found Chamois during a routine ad traffic quality assessment and believes it is the first to identify and track the malware family. Other major malware families have been found by third-party malware researchers.
Google notes that the Chamois apps did rank high on its DOI or "dead or infected" scorer, which can flag up a noticeable rise in the number of users initiating a factory reset or abandoning their devices because of a certain group of apps.
The company plans to release more details about the threat of Android botnets in its forthcoming Android Security 2016 Year In Review report.