Hackers have duped hundreds of thousands of Android users into installing malware onto their devices by infiltrating the Google Play store and hiding it in a number of seemingly harmless apps.
Uncovered by security firm Sophos, the malware - labelled Andr/HiddnAd-AJ - lulls users into a false sense of security by remaining inactive for a while, before bombarding them with ads.
"We reported the offending apps to Google, and they've now been pulled from the Play Store, but not before some of them attracted more than 500,000 downloads," said Sophos in its Naked Security blog, adding that the subterfuge used by the developers to keep Google's "Play Protect" app-vetting process sweet was "surprisingly simple".
It explained: "Firstly, the apps were, at least on the surface, what they claimed: six were QR code reading apps; one was a so-called ‘smart compass'.
"Secondly, the crooks didn't fire up the adware part of their apps right away, lurking innocently for a few hours before unleashing a barrage of ads."
Thirdly, Sophos said the adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app.
"By adding an innocent-looking ‘graphics' subcomponent to a collection of programming routines that you'd expect to find in a regular Android program, the adware engine inside the app is effectively hiding in plain sight," it added.
However, the malware not only pops up advertising web pages, but can also send Android notifications, including clickable links, to lure users into generating ad revenue for the criminals.
"For the first six hours, the list of ads was empty, meaning that the behaviour of the apps was unexceptionable to start with… before flooding the device with full screen ads, opening various ad-related webpages, and sending notifications with ad-related links in them, even when the apps' own windows were closed," Sophos explained.
As Google no longer endorses the apps you're safe from the malware lurking inside them for now. But to protect yourself from any future attacks of this nature, Sophos recommends sticking to downloading apps from Google Play store - despite the firm's failure to spot the malware in these apps.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance