Security firm SophosLabs has just discovered a new malware infecting Android devices. Researchers found a file buried deep within the libraries of several seemingly legitimate apps on the Google Play store. Sophos informed Google of the rogue apps, and it has since removed them. However, the security group estimates that more than 500,000 people had already downloaded affected apps before they were pulled.

The questionable file (Andr/HiddnAd-AJ) has a name that seems obvious, but was able to slip past Google’s “Play Protect” vetting system disguised as utility apps — six different QR code readers and one “smart compass.” While malware disguised as legit apps is nothing new, this malware went a step further by remaining dormant for several hours after being downloaded. Once active, the malware inundates the phone with ads.

“For all its apparent innocence, however, this malware not only pops up advertising web pages but can also send Android notifications, including clickable links, to lure you into generating ad revenue for the criminals,” said the researchers.


(Image via SophosLabs)

The developers of the malware also used a novel trick to hide the malicious algorithms further.

“The adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app. By adding an innocent-looking “graphics” subcomponent to a collection of programming routines that you’d expect to find in a regular Android program, the adware engine inside the app is effectively hiding in plain sight.”

If you were one of those unfortunate enough to have downloaded one of the applications before Google removed them from the store, you should remove the suspicious app. SophosLabs also has a security app that can detect and remove this and other malware for you.

Despite malicious programs sometimes getting through Google’s checks, the researchers say that Google Play is still the safest place to get your apps. Many third-party stores have no security measures in place at all, so the risk is much higher outside of the Google ecosystem.