Your Android phone could be one of millions at risk from a massive malware campaign that's already infected more than 331 apps on the Google Play Store, security experts have warned.
These malicious apps can steal your passwords and credit card information — and worse of all, cybercriminals can hide the app icons on your phone, something that should be impossible on any handset running Android 13 or newer.
Researchers at anti-virus firm Bitdefender and IAS Threat Lab, who uncovered the extensive operation, have outlined some steps that you can take to safeguard your personal data and remove these dangerous files.
Google Play Store — the default digital storefront to download Android apps and games — scans over 125 billion apps every single day in a bid detect and remove all harmful software. However, despite the Californian company's best efforts to delete all of the compromised applications, experts say the campaign remains active.
In total, these malware-laced Android apps have amassed over 60 million downloads worldwide.
They typically masquerade as innocent utility applications such as QR code scanners, expense tracking tools, health and fitness apps, wallpaper utilities, PDF readers, horoscopes, and even flashlights. These apps generate revenue for cybercriminals by displaying full-screen adverts even when they're not running in the foreground and without any of the usual permissions required. And the subterfuge doesn't end there.
These malicious apps employ a grab bag of techniques to bypass Android security restrictions, including hiding their icons from the launcher and starting without any input from you — something that should be impossible in Android 13 or newer.
This latest Android malware campaign seems to either be the work of a single person — or multiple criminals using the same packaging tool sold on black markets, experts at Bitdefender claim.
How these malicious apps disguise themselves as legitimate applications
Explaining the timeline of their investigation in a blog post, researchers at Bitdefender said: "Most applications first became active on Google Play in Q3 2024. After further analysis, we saw that older ones that had been published earlier were initially benign and did not contain malware components.
"The malicious behaviour was added afterwards, starting with versions from the beginning of Q3. To be clear, this is an active campaign. The latest malware published in the Google Play Store went live in the first week of March 2025. When we finished the investigation, a week later, 15 applications were still available for download on Google Play."
If you've recently downloaded any utility apps, particularly those with simple functionality, your device could be compromised. If you suspect you've downloaded one of these malicious apps, here's what to do:
- Check for any recently installed utility apps that you don't actively use — delete them immediately
- Look for signs of infection such as unexpected ads, device lagging, overheating, or data usage while idle
- Ensure Google Play Protect is enabled and do not disable it to install any application
- Update to the latest version of Android, as older versions are more vulnerable
- Avoid installing free, trivial apps that could be used as bait by attackers
As well as generating ad revenue for shadowy criminals, some of these apps are designed to steal login details. To do this, these malicious apps conduct phishing attacks by displaying fake login pages for popular services like Facebook and YouTube, tricking users into entering their credentials — and sending their data directly to hackers.
Other Android apps included in this latest campaign attempt to frighten smartphone and tablet owners into believing their devices are infected, pressuring them to install additional dangerous applications.
The campaign appears to date back to April 2024, before expanding significantly at the end of last year. Over 140 bogus applications were added to the Google Play Store in October and November alone.
What makes these apps so deceptive is that criminals initially submitted them to the Play Store with no malicious code. Since these apps started as legitimate, benign applications, they were able to pass Google's strict security vetting process without breaking a sweat — before being updated at a later date with malicious components.
The apps employ sophisticated methods to remain hidden on devices, including disabling the Launcher Activity by default and using native code to activate it temporarily. After completing setup, the app deactivates its launchers, making the icon invisible from the phone's launcher.
Some apps utilise the Android Leanback Launcher, designed for Android TV and not typically found on standard phones. Others attempt to hide within Settings or change their name and icon to impersonate legitimate Google apps like Google Voice to evade detection.
As it stands, most victims are located in Brazil, followed by the US, Mexico, Turkey, and South Korea.
While Google has removed most of the identified apps from the Play Store, security researchers warn that some remain active and available for download. Of course, if you've already downloaded one of these dangerous apps, the latest action from Google will do nothing to protect your device — you'll need to take action on your own.
Silviu Stahie, Security Analyst at Bitdefender, told The Sun: "The campaign has been active for months, and it's clear that the concealment methods are evolving in real-time.
"The attackers have grown sufficiently confident to push updates for these apps and will likely attempt to modify the malware further in their efforts to escape detection."
LATEST DEVELOPMENTS
- EE unleashes upgrade to 28 million people across UK at no cost
- New update could make YOUR iPhone unrecognisable
- British start-up releases £329 Android smartphone
- Best Sky Stream deals
Bitdefender also noted that Google has been informed of the findings and is currently investigating the issues raised. While the security researchers have identified 331 malicious apps in total, they have not released a comprehensive list of all application names involved in the campaign.
Two apps specifically mentioned from the latest batch uploaded to the store on March 4 were "Dropo" and "Handset Locator."
Google has removed most of the identified apps, but users who have already installed them remain at risk. The apps communicate using encrypted channels and deploy anti-analysis mechanisms to evade detection, making them particularly difficult to identify.
Find Out More...