Google has cleaned out more than 20 apps from its official app store, which were infected with the LightsOut malware.
Check Point was the first to write about the cull, noting that 22 apps had been removed - although they had been downloaded millions of times.
LightsOut is adware that serves up advertising to victims, using scripts to override users' settings that would otherwise prevent adverts from showing outside of a valid context.
Most of the infected apps controlled the phone's torch function. Each had a menu with additional options, including one controlling when to display adverts: when on WiFi, when a call ends, when the screen is locked or when the phone is charging. However, adverts would be shown regardless of the user's choice.
LightsOut would also remove the app's icon from the phones, making it difficult to remove. Some users said that they were forced to press on adverts to interact with their phone, such as when answering a call; and one reported that the advertising activity continued even after purchasing the paid version.
Each app was downloaded between 1.5 million and 7.5 million times.
The common advice when a malicious Android app is discovered is to stick to downloading from the Google Play store. However, LightsOut has proven that even this official source is not infallible (although much better than it used to be). Check Point added, ‘users...are advised to have a ‘Plan B' in the form of an advanced mobile threat defense solution that goes beyond anti-virus.'
"Security solutions without advanced context analysis would have a difficult time spotting the wrongdoings," said Check Point mobile threat researcher Daniel Padon.
Connexin drops out of Ofcom auction due to start next week
SwiftKey users now send two billion emoji every week
Recruitment plans are 'most ambitious ever', claims Openreach HR director Kevin Brady
Samsung's under-the-hood improvements separate the S9 from the pack when it comes to the display