Security experts have warned that a previously-disclosed strain of Android malware, dubbed FalseGuide, is "far more extensive than originally understood" and has now infected roughly two million devices by posing as walkthroughs for popular mobile games.
Earlier this week, researchers from Check Point revealed malware in a number of applications on Google's Play Store, its official marketplace, posing as guides for Pokémon Go, World of Tanks and Fifa. In total, the apps had been downloaded up to 600,000 times.
However, less than 48 hours later, an updated blog post was published saying the malware – which ultimately aims to create a "botnet" (a large collection of infected devices) – was found on the Google Play Store hiding in five additional Android applications.
"The apps were uploaded to the app store as early as November 2016, meaning they hid successfully for five months, accumulating an astounding number of downloads," Check Point researchers said, adding that some single apps had more than 50,000 installs.
The malicious applications were submitted by two developers using the – likely fake – names Sergei Vernik and Nikolai Zalupkin. The malware, which "creates a silent botnet out of the infected devices for adware purposes", could access admin permissions to avoid being deleted by the user.
From there, it was able to receive messages, which the developers could use to push additional commands. In a worst case scenario, the experts said the developers could use the total power to launch a distributed-denial-of-service (DDoS) cyberattack and take down targets.
After they were disclosed, Google removed the fraudulent applications. "FalseGuide masquerades as guiding apps for games for two major reasons," explained researchers Oren Koriat, Andrey Polkovnichenko and Bogdan Melnykov, in a joint analysis.
"First, guiding apps are very popular, monetising on the success of the original gaming apps. Second, guiding apps require very little development and feature implementation. For malware developers this is a good way to reach a widespread audience with minimal effort.
"Mobile botnets are a growing trend since early last year, growing in both sophistication and reach," the experts continued. "This type of malware manages to infiltrate Google Play due to the non-malicious nature of the first component, which only downloads the actual harmful code.
"Users shouldn't rely on the app stores for their protection, and implement additional security measures on their mobile device, just as they use similar [products] on their PCs."
There has been a number of Google Android malware strains found in-the-wild in recent months. Only last week (18 April), a team of researchers from Securify, a Dutch cybersecurity firm, found a financial fraud Trojan dubbed 'BankBot' on the official storefront.