Security researchers have identified 32 separate apps on Google Play that harboured a bug called BadNews.
In a blogpost, Lookout said that a wide variety of apps were harbouring the BadNews malware.
On infected phones, BadNews stole cash by racking up charges from sending premium rate text messages.
Lookout said BadNews concealed its true identity by initially acting as an "innocent, if somewhat aggressive, advertising network".
The malicious program lay dormant on many handsets for weeks to escape detection, said security firm Lookout which uncovered BadNews.
BadNews adopted this approach to avoid detection systems that look for suspicious behaviour and stop dodgy apps being installed, said Lookout.
Lookout reports that BadNews targets mainly Russian and Eastern European users but has also been found in at least ten apps engineered for the English-speaking market.
Security firm Lookout said BadNews was included in many popular apps by innocent developers as it outwardly looked like a useful way to monetise their creations.
Even worse, it appears that BadNews is polymorphic, that is, it changes its own code structure depending on its deployment parameters making it considerably harder to detect and remove.
Half of the 32 apps seeded with BadNews are Russian and the version of AlphaSMS it installed is tuned to use premium rate numbers in Russia, Ukraine, Belarus, Armenia and Kazakhstan.
The exact numbers of victims was hard to calculate, said Lookout, adding that figures from Google Play suggest that between two and nine million copies of apps booby trapped with BadNews were downloaded from the store.
This masquerade ended when apps seeded with BadNews got a prompt from one of three command and control servers, then it started pushing out and installing a more malicious programme called AlphaSMS. This steals credit by sending text messages to premium rate numbers.
应用推荐