Android owners are being warned over fears millions of devices may have been infected by adware from apps on the Google Play store.
SophosLabs have pinpointed 47 apps that use a third-party library which overwhelms users with ads that are displayed even after the app is force-stopped.
The UK-based researchers said Google has removed some of the privately reported apps while others still remain.
The Android apps that continuously pops up ads have been downloaded up to six million times, according to SophosLabs.
The apps include the MarsDae library which spawns the pop-up torrents.
It supports Android versions 2.3 through to 6, as well as Samsung, Huawei, Mizu, Mi, and Nexus devices.
SophosLabs gave one app, Snap Pic Collage Color Splash, as an example of a Google Play app that incorporates MarsDae.
It has been downloaded from Google Play more than 50,000 times.
Once the app is installed, it causes pop-up ads to appear on the user’s home screen.
Even if you go into the system settings and force stop the app, the ads will resume after a few seconds.
The Snap Pic Collage Color Splash has since been taken off the Google Play store.
SophosLabs outlined how the apps continue causing ads to appear on Android 5 and 6.
Once dropped on an these versions of Android, the MarsDae library repeats a series of steps to keep the ads running.
SophosLabs said the following happens:
• It runs code that kicks off a number of processes
• It creates a file, then locks it
• Each process creates another file. For example, Process A creates a2 and repeatedly checks if Process B has created file b2, and vice versa
• If Process A finds file b2, it means Process B has started and locked file b1. Process A can delete file b2. Process B will do the same thing for file a2
• Process A keeps monitoring the lock status of file b1 while Process B monitors file a1. If any file is unlocked, it means the related process is dead. Then anther process can restart it again
SophosLabs added: “As clever as the technique may be, all it does in the long run is ruin each app’s reputation on Google Play.
“Annoyed users have made their unhappiness known.”
They added: “If you see these apps in Google Play, don’t download them. We’ll continue working with Google to get the remaining apps removed.
“The continued onslaught of malicious Android apps demonstrates the need to use an Android anti-virus.
“By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.”
SophosLabs also published a list of apps that they say are affected by the adware – and you should check to see if you have downloaded any of them.
The Android warning comes weeks after the Judy malware campaign was revealed.
Experts feared the malware campaign, fake advertising clicks in order to generate revenues for those behind it, infected over 36.5million Android devices.
It was spread from 41 malicious apps which were downloaded up to 18.5m times from the Google Play store.
The Judy malware campaign was discovered by security firm Check Point, who said is “possibly the largest malware campaign found on Google Play.”
The malware was named Judy after the cute character ‘Judy the chef’ who appears in most of the affected apps.