Security researchers have found more malware hosted in Google's Android marketplace, the Google Play Store, a discovery that once again demonstrates the limitations of a recently deployed scanning service designed to flag malicious apps before they can be downloaded by end users.

Android.Dropdialer, a trojan that racks up costly charges from forced calls made to premium phone numbers, was found in two separate titles that weren't caught for weeks, according to a blog post published Tuesday by Irfan Asrar, a researcher with antivirus provider Symantec. "Super Mario Bros." and "GTA 3 Moscow City," as the malicious apps were packaged, generated as many as 100,000 downloads, although Asrar didn't say if that figure was for each separate title or in aggregate.

"What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered," Asrar wrote. "Our suspicion is that this was probably due to the remote payload employed by this Trojan."

In a blog post published last year, Asrar explained how breaking up a malicious app into separate, staged payloads prevented automated screening processes from detecting the malware. The idea behind the technique is that rather than including all the malicious code in a single file, attackers break it up into separate modules that are delivered independently. In the case of Android.Dropdialer, the first stage was posted on Google Play (formerly known as the Android Market) and once installed it would download additional packages.

The post appears to say that victims of this malware were at some point still presented with a list of permissions that included "services that cost you money," which would mean that end users who fell prey to this threat shoulder much of the responsibility. But considering the malicious titles were hosted on Google's own servers, it seems the company should also share some of the blame. In February, the search giant unveiled Bouncer, a cloud-based malware scanner. Since then, researchers have independently discovered abusive apps in Google Play on at least two other occasions. Researchers also found malware hosted in the Google Chrome Web store.

Mobile security experts Jon Oberheide and Charlie Miller recently said they've devised multiple ways to sneak malicious apps into Google Play by subverting Bouncer. Google representatives didn't respond to an e-mail seeking comment for this brief.