A strain of spyware – malicious software used to snoop on smartphone or tablet devices – was recently found to have sat undetected on Google's official app store for three years, leading to fears it has previously been used to "track" people in real-time.
According to Zscaler, a US-based cybersecurity firm, the spyware was caught posing as an Android security update and had been downloaded between one and five million times since 2014. After responsible disclosure, Google removed the application from its marketplace.
"The app, which claimed to give users access to the latest Android software updates, was being used to spy on a user's exact geolocation, which could have been used for any number of malicious reasons," said Zscaler security researcher Shivang Desai in a blog post.
The spyware, which the firm has dubbed "SMSVova" due to its reliance on text message-based commands, was flagged due to poor user reviews and the fact its Google Play store page lacked any real description despite being labelled as the latest Android OS release.
Based on screenshots of the reviews, many users were unhappy with the app. "Just a waste of space, if I tried to open the app it will say 'unfortunately system updates have stopped,' one commentor said in November 2016.
Another simply wanted an update to play Pokémon Go, the popular agumented-reality game.
Once the user tries to start up the application it immediately quits and displays the message "Unfortunately, Update Service has stopped." At that point the app would hide itself from the main screen but would have already connected to the attacker's server.
The researchers discovered it had commands that could fetch a victim's last known location and also scan incoming text messages for the specific term "get faq". Once installed, an attackers would send an SMS to the infected device to get a response.
Desai warned: "The attacker could set a password for this spyware, but it can also be accessed with the default password. Once a phone number and password are set, the spyware starts a process designed to send the device location to attacker.
"This app has evaded Google's detection for a long time, which is apparent because we can see that the app was last updated in December 2014." In the blog post, he added: "This time lapse does not mean the app or its functionality are dead."
Zscaler discovered the spyware shared code with a notorious strain of malware called "DroidJack" which was found back in 2015 being used for similar intentions. It could take control of a device and record conversations, read emails and track locations.
In October 2015, the BBC reported a British law enforcement crackdown on its use resulted in the arrest of one 28-year-old suspect. International raids targeting users of the malware were launched across the UK, France, Germany, Belgium and Switzerland.
"There are many apps on the Google Play Store that act as a spyware; those that spy on messages of one's spouse or fetch the location of children for concerned parents," Desai wrote. "But those apps explicitly state their purpose, which is not the case with the app we analysed for this report."
IBTimes UK contacted Google for comment, however had received no response at the time of publication.