Ad-displaying malware in nearly 50 apps on the Google Play Store has infected nearly two million phones.
And it's all thanks a combination of user stupidity, and the ad giant failing to spot and remove the software nasty lurking in its application souk.
The rogue code – dubbed Falseguide because it is contained within game walkthrough applications – has been spreading fast, in part because of poor app checking by Google. According to infosec vendor Check Point, some of these apps have been hiding in plain view in the Google Play store since November of last year, and their malicious nature wasn't picked up by the Chocolate Factory.
"Mobile botnets are a growing trend since early last year, growing in both sophistication and reach," Check Point said in an advisory that lists the dodgy apps – all of which have belatedly been removed from the Play Store.
"This type of malware manages to infiltrate Google Play due to the non-malicious nature of the first component, which only downloads the actual harmful code. Users shouldn't rely on the app stores for their protection."
These apps may have been able to slip past Google's malware radars by appearing to be innocent programs and later smuggle malicious code onto the devices. Rather than bundling ad-slinging code and spyware into the app, the software's masterminds use Google's Firebase SDK to access an online discussion board, which is used to control the tw-million-strong army. Messages containing URLs to additional modules are posted to the forum, which the apps read and obey by installing the linked code.
So far the only nasties Falseguide downloads and executes just display annoying adverts on handsets, but future modules could, for example, install spyware on the devices, or be used to launch denial-of-service attacks on victims.
This is all possible thanks to the level of access the apps ask for when first installed: the software pops up a permission request screen telling users that it wants full device admin rights.
Obviously this should set alarm bells ringing – a game guide is no more than a collection of pictures and text, and there's no reason for it to have such access rights. But, people being people, around two million idiots have ignored this red flag waved by someone in a scarlet leotard and ruby slippers screaming "red flag, red flag" – and tapped OK.
The source of the malware is unknown, but the apps were uploaded by two developers named Sergei Vernik and Nikolai Zalupkin. These are highly likely to be fake accounts, but Russia is churning out some quality malware these days, as many people are finding out to their cost.
Google had no comment at time of publication. ®