Malware using new precision-targeted tactics to distribute adware hid on the Google Play store for two months and infected over 10,000 Android users before being removed.
Called 'Skinner' the malware will display unwanted ads to user, but does so in a way which avoids raising suspicion that they're malicious by specifically targeting them to go with the app the user is currently using.
Discovered by cybersecurity researchers at Check Point, Skinner is far from the first instance of malware to be discovered on the Google Play store - but this one uses sophisticated new tactics.
Rather than outright infecting as many victims as possible, it's in Skinner's interests to be discreet and avoid detection in order to prevent raising alarms and continue the distribution of adverts for raising clickthrough revenue.
These ads are ones the users wouldn't see unless infected with Skinner and by clicking through them it generates ad revenue for the developers. Generating revenue is on the only goal of Skinner - it doesn't distribute further malware or direct users to malicious websites - it's in its interest to stay below the radar.
The malware was embedded in an app described as providing "game related features" and once downloaded from Google Play, it tracks the user's location and actions, as well as being able to execute code from its Command and Control server without the permission of the user.
However, Skinner doesn't immediately begin its malicious activity, rather the malware waits for user activity - such as opening an app - to begin to be sure the device is being used by an actual user. The malware also checks for debugging software and that the app was installed from Google Play; both techniques intended to evade detection by researchers.
This subtly is also used when it comes to displaying adverts to the victim; instead of just displaying any random ad, Skinner checks what type of app the user has open at that time and tailors the displayed advert to look as if it is legitimately associated with the app - thus enhancing the chance of a click through.
Researchers note that this sort of "tailored marketing" is "unique and quite innovative", citing that while most adware relies on mass distribution at any cost, Skinner is able to infect a small amount of users but generate the same amount of revenues - all while avoiding being caught.
"The smaller the spread of a malware is, the fewer chances it will raise any alarms and undergo security inspections. We believe this sort of tactic will be adopted and perfected by other Adware in the near future" said Check Point researchers in a blog post.
The fact that Skinner used custom obfuscation, rather than just copying a known technique from other malware, made it harder to detect. And although Google has now removed it from the Play Store, it's likely that other groups will adopt its subtle tactics in future.
"The advanced evasion methods introduced by this malware will only increase in complexity, endangering users worldwide," said researchers.
While Android users can no longer download Skinner, it's likely that a large proportion of the 10,000 who installed the malware are still infected and that these ghost apps are still generating revenue for criminals.
ZDNet has contacted Google for comment on why the malware was not discovered for two months, but is yet to receive a reply.