By taking legitimate apps from the Google Play store, malicious actors will repackage the app with baked-in adware, and serve it to a third-party app store. In many cases, the apps are still fully functional and doesn't alert the device owner.
It works like this: the user installs an app from a third-party store, and the app auto-roots gaining access to the entire phone's system -- an act alone that punches a hole in Android's security, opening up more ways for hackers to launch their attacks. Periodically from there, the app will serve ads, which generates money for the attacker.
"Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy," said the company in a blog post.
The good news is that the company said there is no indication that users who install apps from Google Play, Android's official app store, are affected.
The San Francisco, Calif.-based security firm said there exists at least three similar families of Android-based trojanized adware, which serve ads -- Shuanet, Kemoge (known as ShiftyBug), and Shudun (or GhostPush).
"Together, the three are responsible for over 20,000 repackaged apps, including Okta's two-factor authentication app," the researchers wrote.
The big headache, particularly in targeting enterprise apps like Okta, is that these apps may gain access to data they are not supposed to, including sensitive corporate data.
The researchers said the highest detection rates are in the US and Germany, and other high Android market share countries, like Russia, Brazil, and Mexico, adding that they expect trojanized malware to "continue gaining sophistication over time."