Once a user downloads the app, the executed code hides its icon and displays full-screen ads (which is similar to an issue discovered last month). The ads do not indicate which app is triggering them, and they're displayed even when the malicious app is closed, so users have no way of knowing which one to delete. Symantec cites monetary gain from ad revenue as the likely motivation behind the malware tactics.

Given the similarity between the apps, Symantec believes that they may have been created by one organization. The app listings on the Play Store are also pretty sneaky: the organization publishes two versions of the same app, one being a benign version and another being the malware version. The unaffected version may rank in top charts or the trending category, but when users manually search for the app, they have a 50-50 chance of downloading the ad-triggering variant.

Where this wave differs from previous batches of malware is in how the app icons are hidden. The programming that conceals the apps isn't hard-coded. Instead, a remote switch is built into the configuration files, which means that Google's security testing doesn't catch that aspect of the code.

Symantec and other security firms are frequently discovering new malware practices on the Play Store, which raises the question of how proactive Google is being. It could very well be the case that Google has effective security practices in place, but apps like these keep falling through the cracks. Even if that is the case, additional measures are needed to better protect Android users from malware and adware.