Google removed from the Google Play Store 190 applications infested with malware.
Dr.Web researchers discovered the malware-infected apps at the end of April.
The Russian security firm says the apps contained a version of the malware identified as Android.Click.95.
Android.Click waits for six hours after the user installs it as part of an infected app, according to the Dr.Web analysis of the malware’s mode of operation.
After the six hours pass, the malware forcibly loads a URL in the user’s browser, which contains scareware-like messages informing the user his system or his battery has problems.
To fix his issues, the user has to download another app. In the cases they’ve observed, Dr.Web researchers said the malware redirected users back to the Google Play Store to download these second-stage apps.
“For each download, fraudsters receive interest under the terms of affiliate advertising agreements,” Dr.Web researchers said in a post. “It explains why Android.Click.95 is so much widespread—the cybercriminals try to make as much profit as they can from these downloads.”
These messages to download other apps appear every two minutes. The tactic of constantly pestering users with nagging popups was also detected in another Android Trojan, Android Banker, discovered by Avast, which was also more aggressive.
Dr.Web researchers said all the Google Play Store apps they’ve detected with Android.Click came from six users: allnidiv, malnu3a, mulache, Lohari, Kisjhka, and PolkaPola. These were apps that showed daily horoscopes, dream-books, life advices, jokes, and similar useless applications.
Google delisted all the apps associated with these accounts.