Security researchers have identified 32 separate apps on Google Play that harboured a bug called BadNews.
On infected phones, BadNews stole cash by racking up charges from sending premium rate text messages.
The malicious program lay dormant on many handsets for weeks to escape detection, said security firm Lookout which uncovered BadNews.
The malware targeted Android owners in Russia, Ukraine, Belarus and other countries in eastern Europe.
The exact numbers of victims was hard to calculate, said Lookout, adding that figures from Google Play suggest that between two and nine million copies of apps booby trapped with BadNews were downloaded from the store.
In a blogpost, Lookout said that a wide variety of apps were harbouring the BadNews malware. It found the programme lurking inside recipe generators, wallpaper apps, games and pornographic programmes.
The 32 apps were available through four separate developer accounts on Play. Google has now suspended those accounts and removed all the affected apps from its online store. No official comment from Google has yet been released.
Lookout said BadNews concealed its true identity by initially acting as an "innocent, if somewhat aggressive, advertising network". In this guise it sent users news and information about other infected apps, and prompted people to install other programmes.
BadNews adopted this approach to avoid detection systems that look for suspicious behaviour and stop dodgy apps being installed, said Lookout.
Read more: http://www.bbc.co.uk/news/technology-22213383
Google Play, Apple App Store apps caught stealing crypto wallets
77 Android apps on Google Play with 19 million installs spread malware, hitting 831 banks and exposing users to fraud and theft.
Google blocked 2.36 million risky Android apps from Play Store in 2024
Google Removes 224 Android Apps Used in SlopAds Fraud Campaign – How to Stay Safe