In brief: According to security researcher Lukas Stefanko, 13 now-removed malware-ridden Google Play Store apps -- all created by the same individual -- had been installed by over 560,000 Android users. A few of the apps were even promoted within the Play Store's "Trending" section.
It's no secret that Google's Play Store isn't the best-policed app store out there. Malicious and nonfunctional apps appear on the store regularly, and they don't always get removed in a timely manner.
This has become even more clear today, as security researcher Lukas Stefanko has revealed that 13 now-removed Android apps, downloaded by over 560,000 users, contained malware. These apps were all masquerading as various Car Simulator games, taking advantage of misleading thumbnails and supposed in-game screenshots to entice users to download them.
According to Stefanko, two of the 13 apps managed to make their way to the Trending section of the Google Play Store, which likely boosted their download numbers considerably.
So, what exactly did these apps do? On the surface, absolutely nothing. If users try to launch the apps, they simply show a "Made with Unity" logo and then crash a few seconds later. After crashing, the apps hide their own icons to make uninstallation more difficult, while also downloading an "additional APK" in the background.
Digging deeper, it becomes clear that the apps were far from the harmless pranks they may seem to be. According to TechCrunch, each piece of software could give itself "full access" to a device's network traffic, which could have allowed the developer to swipe a given user's personal data.
If that wasn't wild enough, the story gets even stranger. These apps were all "developed" by the same individual: Luiz O Pinto. Furthermore, many of the apps had reviews that averaged out to three or more stars.
It's probable that said reviews were either fake or paid-for (we can't check now, given that the apps have been removed), but you'd think they would have quickly been buried by a flood of negative feedback from legitimate users; particularly if the previously-mentioned download numbers are accurate.
It's a bizarre situation overall, but for now, this rogue developer can't do any more harm. Whether or not he (or she) will return in the future under a different alias remains to be seen, though.