More than 500 popular apps have been removed from the Google Play Store after a backdoor was found enabling developers to add spyware at any time, according to mobile security firm LookOut.
A large number of apps using the Igexin software development kit (SDK) have been found to carry the flaw, totaling more than 100 million downloads.
A blog post from two of LookOut's researchers explains: "It is becoming increasingly common for innovative malware authors to attempt to evade detection by submitting innocuous apps to trusted app stores, then at a later time, downloading malicious code from a remote server.
"Igexin is somewhat unique because the app developers themselves are not creating the malicious functionality - nor are they in control or even aware of the malicious payload that may subsequently execute. Instead, the invasive activity initiates from an Igexin-controlled server."
The apps affected are not niche. Igexin-enabled apps include games targeted at teens (one of which was in the 50-100 million downloads band), weather apps (one of which has between one and five million downloads), Internet Radio (500,000-1 million), Photo editors (1-5 million) as well as other categories including educational, health and fitness, travel, emoji and home video camera apps.
The research came about after some large, encrypted files were being downloaded by the app from a series of initial requests to a REST API. This is a common technique for such viral "afterware".
LookOut, which has warned many times of Android malware dangers, emphasises that many developers probably weren't even aware of what evil lurks under the bonnet of their apps and unwittingly gave Igexin wide-ranging permissions. It also points out that not all versions of Igexin are evil and that Igexin, the company behind the SDK, probably isn't either - just careless.
Although LookOut has declined to name the apps in question it points out that users of its security apps are protected from the issue. We'd assume this applies to most anti-malware suites for Android.
Apps affected have been removed and, in most cases, replaced with safe versions.
For its part, Google recently launched Google Play Protect, an in-built suite of security features to root out dodgy apps at the cloud level, before they even touch your phone.
About time, too.
Biometrics of more than five million taxpayers taken by HMRC
Central Bank of India forced to make banks take basic security more seriously
Qualcomm planning to use TSMC's 7nm process to make fast and power-efficient rival to Intel
Voice assistants in smart homes will reach 275 million in five years' time, and Amazon is in pole position