Google has been forced to remove 300 Android apps from the Google Play Store after they were used to form part of a large scale cyber attack.
According to security researchers the issue is so severe that not only have the apps the been removed from Google Play Store but Google is also going to forcibly remove them from any devices the malicious apps have been installed on.
The apps, which look completely legitimate, were found to be hijacking phones to form part of a massive botnet across more than 100 countries.
Botnets are a network of devices that have been infected with malware that allows hackers to control them remotely and which are typically used to carry out a distributed denial-of-service attack (DDoS attack). This involves bombarding a website with so much traffic that is unable to cope and knocked offline.
The botnet in question is called WireX and was discovered by researchers from a number of different security firms including Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, RiskIQ and Team Cymru.
Researchers from the organisations identified that WireX was being powered by apps in the Google Play Store.
“We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” Google said.
“The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.”
Security researchers said the apps were able to surreptitiously launch an attack even when they were not being used or when the infected smartphone was locked.
“On August 17th, 2017, multiple Content Delivery Networks (CDNs) and content providers were subject to significant attacks from a botnet dubbed WireX,” the researchers said in a joint statement.
“The WireX botnet comprises primarily Android devices running malicious applications and is designed to create DDoS traffic.”
“Antivirus scanners currently recognize this malware as the ‘Android Clicker’ trojan, but this campaign’s purpose has nothing to do with click fraud. It is likely that this malware used to be related to click fraud, but was repurposed for DDoS,” they added.