Security researchers from McAfee have warned that up to 17.4 million Android users may have downloaded a form of Trojan malware that is reported to have been present in 144 different apps.
The threat dubbed “Grabos” was initially found in an app called “Aristotle Music audio player 2017” which has been downloaded five million times but then the experts confirmed that it has since been found to be present in another 143 pieces of software.
Security researcher Carlos Castillo wrote in a blog post: “Grabos gained popularity on Google Play because it allowed users to download music for free while constantly asking them to rate the app.
“However, users were not aware of the hidden functionality that comes with those apps, exposing them to custom notifications to install additional apps and open them without consent.
“Considering Grabos also reports the presence of specific social apps on infected devices, cybercriminals could use that information to deliver additional apps by tricking users into installing them using any of the notification methods implemented in the code.”
It is thought that the malware could also be used to track users’ movements in addition to the forced advertising.
McAfee notified Google of the malware in September and the apps have move been removed from the marketplace.
24 hours after the McAfee report was released, a Slovakian anti-virus firm called ESET said they had found eight malicious applications on the Google Play Store.
The payload was a banking Trojan designed to steal financial data, but luckily it only reached “few hundred” downloads. Yet the threat was notable, the firm said, because it was a form of “multi-stage” malware – legitimate-looking but with delayed onset of malicious activity.
Researcher Lukas Stefanko wrote: “Multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware.
“Users who want to stay protected should not rely fully on the store’s protections; instead, it’s crucial for users to check app ratings and comments and pay attention to […] permissions.”