Malicious apps hide after installation and aggressively display full-screen advertisements.

Symantec has uncovered another wave of malicious apps in the Play Store which has been downloaded more than 2.1 million times. The company reported these apps to Google on September 2, 2019, and they have been removed from the store.

A total of 25 Android Package Kits (APKs), mostly masquerading as a photo utility app and a fashion app, were published under 22 different developer accounts, with the initial sample uploaded on April 2019.

These 25 malicious hidden apps share a similar code structure and app content, leading Symantec to believe that the developers may be part of the same organizational group or, at the very least, are using the same source codebase.

The app uses hidden icons, and the malware displays advertisements, which are shown even when the app is closed. Full-screen advertisements are displayed at random intervals with no app title registered in the advertisement window, so users have no way of knowing which app is responsible for the behavior.

Monetary gain from advertising revenue is likely the motivating factor behind these apps.