More than 80 malicious Android apps were caught lurking on Google's official Play Store that were designed to hijack credentials for VK, Russia's Facebook-like social network.
Google was forced to take action after Moscow-based security firm Kaspersky Lab detected the booby-trapped software – one of which had more than a million installations. In total, experts found 85 infected apps, which were later reported and removed from the marketplace.
In a blog post Tuesday (12 December), threat researcher Roman Unuchek said he believed the cybercriminals responsible were likely stealing the login details to boost the presence of selected VK groups or pages.
The software with 1m-plus downloads was hiding as a mobile game. Seven had up to 100,000 installations, and the remainder between 1,000 and 10,000.
The apps were found in October and November this year, but some had been there for 2 years.
The gaming app was notable as it had been uploaded to the Google store back in March 2017, but the hackers waited seven months to weaponise it.
The third-person game was titled "Mr President Rump" and its thumbnail was a cartoon version of Donald Trump. A description claimed players would assume the "role of a bodyguard."
As the majority of the apps posed as having legitimate links to VK– for monitoring page analytics, for example – most victims would have entered their passwords without thought.
The developers had programmed the malware to only target smartphone devices that were running languages linked to regions where the website is popular. These were: Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Belarusian, Kyrgyz, Romanian, Tajik, and Uzbek.
Unuchek wrote: "These cybercriminals were publishing their malicious apps on Google Play Store for more than two years, so they had to modify their code to bypass detection.
"We think that cybercriminals use stolen credentials mostly for promoting groups in VK.com. They silently add users to promote various groups and increase their popularity by doing so."
Created by Pavel Durov, VK - also known as VKontakte - is the most popular website in Russia, according to Alexa statistics. It currently boasts more than 400 million accounts.
The same app developer was also pushing apps that posed as services for chat service Telegram. A similar scheme was uncovered by Kaspersky Lab in 2015, exposing an app called VK Music.