The innocent-looking apps stacked up a collective 100 million downloads between them, and include popular games targeted at teen users, photo editors, weather apps, emoji apps and others.
Researchers from Lookout, a mobile security company, alerted Google of the danger associated with the apps in a recently published blog post.
“It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server,” the researchers wrote.
The infected apps contained Igexin, a software development kit of Chinese origin, which allows the apps to connect to advertising networks to deliver targeted adverts based on users’ incomes, interests and demographics; this is particularly widespread among free apps which rely on advertising revenue.
A malicious version of Igexin, which was installed with these apps onto users’ phones, allows the app to install updates including hidden spyware with no warning.
“Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality, nor are they in control or even aware of the malicious payload that may subsequently execute,” the blog post continued.
“Instead, the invasive activity initiates from an Igexin-controlled server.”
The malware was detected after the researchers began investigating suspicious traffic, and noticed an app downloading large, encrypted files after making requests to servers which had previously served malware. According to the researchers, this traffic is often the result of malware which surreptitiously downloads and executes code after a “clean” app is installed, setting off alarm bells.
Some of the spyware allowed for the collection of call histories, GPS locations, nearby Wi-Fi networks and other installed apps.
In response, Google has removed at least 500 apps from its Play Store. Not all of these apps had installed the malicious plugin, although all carried some risk of installation. The Android permissions system is capable of imposing some limitations on what can be run on a device.
Lookout and Google have not released lists of affected apps, although Lookout disclosed that SelfieCity and LuckyCash are among the apps previously infected.
Earlier in August, Google and Apple removed hundreds of financial trading apps from their app stores after the Australian Securities and Investments Commission discovered that many app operators did not have the license required to operate, and did not properly disclose risks to their users.