More than 500 popular apps have been removed from the Google Play Store after a backdoor was found enabling developers to add spyware at any time, according to mobile security firm LookOut.
A large number of apps using the Igexin software development kit (SDK) have been found to carry the flaw, totaling more than 100 million downloads.
A blog post from two of LookOut's researchers explains: "It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server.
"Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality - nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server."
The apps affected are not niche. Igexin-enabled apps include games targeted at teens (one of which was in the 50-100 million downloads band), weather apps (one of which has between one and five million downloads), Internet Radio (500,000-1 million), Photo editors (1-5 million) as well as other categories including educational, health and fitness, travel, emoji and home video camera apps.
The research came about after some large, encrypted files were being downloaded by the app from a series of initial requests to a REST API. This is a common technique for such viral "afterware".
LookOut, which has warned many times of Android malware dangers, emphasises that many developers probably weren't even aware of what evil lurks under the bonnet of their apps and unwittingly gave Igexin wide-ranging permissions. It also points out that not all versions of Igexin are evil and that Igexin, the company behind the SDK, probably isn't either - just careless.
Although LookOut has declined to name the apps in question it points out that users of its security apps are protected from the issue. We'd assume this applies to most anti-malware suites for Android.
Apps affected have been removed and, in most cases, replaced with safe versions.
For its part, Google recently launched Google Play Protect, an in-built suite of security features to root out dodgy apps at the cloud level, before they even touch your phone.
About time, too.
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal