Dubbed Android.Dropdialer, the malware in question is a Trojan that sends SMS messages to premium rate numbers, but only if the user is on either Mobile TeleSystems networks or Beeline, two popular Russian telecom providers that are also present in some Central and Eastern European countries.
The two apps have been posted on Google Play on June 24, and have since then been downloaded by some 100,000 users.
How is that possible? After all, at the beginning of this year, Google added an automated app scanning service to the market in order to prevent things like this from happening.
Well, as it turns out, Google's Bouncer is not very effective when it comes to detecting malware that is delivered in multiple payloads.
"In the case of Android.Dropdialer, the first stage was posted on Google Play," explained the researchers. "Once installed, it would download an additional package, hosted on Dropbox, called ‘Activator.apk’."
It is that additional package that actually sends the pricy messages, and once it does that, it is also programmed to prompt the user to uninstall it.
The worst thing is that with both payloads, the users are asked to approve a set of permissions, and among those is the permission to send SMS messages.
This particular permission often comes with the note that it may cost users money, but that does not seem to stop them from installing the app. Once again, the users have proved to be the weakest link in the security chain.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.