Android malware with up to 17.4m downloads found lurking in 144 apps on Google Play

Up to 17.4 million Android users have downloaded a form of Trojan malware found in 144 separate mobile applications, security researchers from McAfee warned this week.

In a blog post Tuesday (14 November), experts said the threat – dubbed "Grabos" – was discovered in an app called "Aristotle Music audio player 2017" that had been downloaded up to five million times. Upon further analysis, the malware was found on 143 more pieces of software.

The news came as two other cybersecurity companies – ESET and Dr Web – disclosed similar findings about sets of malicious mobile software successfully sneaking onto Google's official application market.

McAfee said that the majority of apps containing Grabos were last updated in August and October.

It said the main purpose was to make money by promoting the installation of other software.

In total, between 4.2 million and 17.4 million users downloaded them from Google Play, McAfee said.

Security researcher Carlos Castillo wrote: "Grabos gained popularity on Google Play because it allowed users to download music for free while constantly asking them to rate the app.

"However, users were not aware of the hidden functionality that comes with those apps, exposing them to custom notifications to install additional apps and open them without consent.

"Considering Grabos also reports the presence of specific social apps on infected devices, cybercriminals could use that information to deliver additional apps by tricking users into installing them using any of the notification methods implemented in the code."

The firm revealed that alongside forced advertising it could track users' locations.

McAfee said it notified Google about the malware in September, and the software was swiftly removed. But that doesn't mean the app marketplace became free from threats.

Only 24 hours after the McAfee report was released, ESET, a Slovakian anti-virus firm, disclosed that it also recently found a set of eight malicious applications on the Play Store.

The payload was a banking Trojan designed to steal financial data, but luckily it only reached "few hundred" downloads. Yet the threat was notable, the firm said, because it was a form of "multi-stage" malware – legitimate-looking but with delayed onset of malicious activity.

Researcher Lukas Stefanko wrote: "Multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware.

"Users who want to stay protected should not rely fully on the store's protections; instead, it's crucial for users to check app ratings and comments and pay attention to [...] permissions."

On 13 November, Dr Web, a Russian cybersecurity outfit, discovered a suite of nine other malicious apps on Google Play with more than two million downloads in total.

This software could covertly open websites, follow advertising links and banners located on them, and inflate traffic stats. It could perform phishing attacks and steal confidential information.

Two of the infected applications were branded as Bible trivia software.