A new breed malware has been discovered within at least 32 Android apps, which may have been downloaded up to nine million times.
The so-called 'BadNews' malware was outed by security firm Lookout Mobile Security in a blog post on Friday and the affected apps have now been removed by Google.
All of the apps found to contain the malicious code had been approved by Google, but it appears that the harmful elements had been added after the fact, disguised as updates.
Apps containing the BadNews code have been reporting back to a server and revealing sensitive information like the phone number and handset serial number.
'Bad guys are smart'
The affected apps include English and Russian-language games, dictionaries, wallpapers and were able to make it past the Google Bouncer software that scans the Play store for harmful apps.
Marc Rogers, principal security researcher for Lookout, told Ars Technica: "You can't even say Google was at fault in this because Google very clearly scrutinized all these apps when they want in.
"But these guys were cunning enough to sit there for a couple of months doing absolutely nothing and then they pushed out the malware.
"This is a wakeup call for us in the industry to say: 'Bad guys are smart as well and they'll take a look at the security models we put in place and they'll find weaknesses in them. That's exactly what they've done here."
Via Ars Technica