Dozens of Android phone apps on the Google Play store are riddled with malware that slows phones, drains batteries and hijacks screens.
Online security experts have slammed 85 apps as fraudulent.
Most are dressed as photo editing software or games to lure users looking for free apps.
And the approach seems to be working for the crooks as the apps have ticked up more than 8 million downloads, says Trend Micro, the firm publishing the research.
Google has banned the apps and removed them from Google Play, but millions are still loaded on mobile phones and tablets.
Millions of consumers probably don’t even know they are running in the background as they use their gadgets.
But the worst impact comes from adware that secretly hides on the phone.
“It isn’t your run-of-the-mill adware family,” said Trend Micro’s Ecular Xu.
“If the app has determined that it has been installed for more than 30 minutes, the app will then hide its icon and create a shortcut on the device’s home screen.
“This would deter the app from being uninstalled by dragging and dropping its icon to the Uninstall section of the screen.”
Deleting an app usually means dragging the icon to the bin, but because the adware only loads a shortcut to the app, deleting the shortcut does not remove the adware, only the link.
Cash generated for hackers
The malware behind the problem is called Agent Smith.
“Once a user installs one of these booby-trapped apps, the malware will get to work, exploiting vulnerabilities in the Android operating system. It extracts a list of all the legit apps that the user has installed on their phone and then sets about replacing them with identical-looking but malicious versions,” said Xu.
“If you’re unlucky enough to have your device infected with Agent Smith, it will then go on to hijack your apps to show unwanted ads – thereby generating money for the hackers. Although this doesn’t sound too catastrophic for the victim, there is the potential for the attack to get much worse. Researchers have claimed that the same malware could be used to steal sensitive information like online banking credentials from an infected device.”