Tens of thousands of Android users are thought to have fallen victim to a newly-discovered malware, which enlists devices as part of a hacker-controlled botnet.
Researchers at security firm Check Point, who discovered the malware, said in a blog post Monday that the malware is “persistent,” and is “difficult or even impossible to remove manually.”
The malware is dubbed “Viking Horde,” after one of the popular apps it poses as. The sophisticated malware campaign consists of a number of games and apps that are readily available through Google Play, the app store for Android devices.
At least five instances of the app have so far been able to evade Google Play’s malware scans for almost a month, since it was first submitted to the app store.
When the user installs the app, it will automatically join a botnet — a network of devices controlled by an attacker — which disguise ad clicks to generate money.
The app also has full access to parts of the devices it infects, potentially leading to theft of personal data.
Some user reviews claim the app also sends premium text messages, which can be used to make money but also conduct distributed denial-of-service (DDoS) attacks against users through persistent message sending.
Most Android phones aren’t rooted, which allow the owner to deeply customize the device by opening up access to parts of the operating system that are usually locked down. But if the Android phone is rooted, the malware will download additional components that makes the malware almost impossible to remove.
But the researchers warn that the malware can be used for far more nefarious purposes, such as remote code execution, which allows an attacker to compromise the data on the device.
So far, the malware-ridden apps have been downloaded tens of thousands of times — likely more. According to the researchers, one of the apps made it as a top free app in the Google Play store.
At the time of writing, the apps are still in the Google Play store — albeit with a considerable 1-star rating from the user reviewing community.
A spokesperson for Google did not respond to a request for comment at the time of publication.