Security researchers have identified 32 separate apps on Google Play that harboured a bug called BadNews.
On infected phones, BadNews stole cash by racking up charges from sending premium rate text messages.
The malicious program lay dormant on many handsets for weeks to escape detection, said security firm Lookout which uncovered BadNews.
The malware targeted Android owners in Russia, Ukraine, Belarus and other countries in eastern Europe.
The exact numbers of victims was hard to calculate, said Lookout, adding that figures from Google Play suggest that between two and nine million copies of apps booby trapped with BadNews were downloaded from the store.
In a blogpost, Lookout said that a wide variety of apps were harbouring the BadNews malware. It found the programme lurking inside recipe generators, wallpaper apps, games and pornographic programmes.
The 32 apps were available through four separate developer accounts on Play. Google has now suspended those accounts and removed all the affected apps from its online store. No official comment from Google has yet been released.
Lookout said BadNews concealed its true identity by initially acting as an “innocent, if somewhat aggressive, advertising network”. In this guise it sent users news and information about other infected apps, and prompted people to install other programmes.
BadNews adopted this approach to avoid detection systems that look for suspicious behaviour and stop dodgy apps being installed, said Lookout.
This masquerade ended when apps seeded with BadNews got a prompt from one of three command and control servers, then it started pushing out and installing a more malicious programme called AlphaSMS. This steals credit by sending text messages to premium rate numbers.
Users were tricked into installing AlphaSMS as it was labelled as an essential update for either Skype or Russian social network Vkontakte.
Security firm Lookout said BadNews was included in many popular apps by innocent developers as it outwardly looked like a useful way to monetise their creations. It urged app makers to be more wary of such “third party tools” which they may include in their code.
Half of the 32 apps seeded with BadNews are Russian and the version of AlphaSMS it installed is tuned to use premium rate numbers in Russia, Ukraine, Belarus, Armenia and Kazakhstan.
Source: BBC News