A new malicious string of Android malware called "BadNews" may have been downloaded as many as 9 million times say mobile security experts Lookout.
Revealed in a Lookout blog posting over the weekend, the malware has sat hidden in 32 Android apps, with its creators avoiding Google's virus-tracking Bouncer software by only injecting the malware into the apps as post-launch updates.
The malware, which was hidden in downloads including games, dictionaries and wallpapers, contains code which harvests sensitive information including phone numbers and handset serials before relaying the information back to a server.
"You can't even say Google was at fault in this because Google very clearly scrutinized all these apps when they went in," said Marc Rogers, principal security researcher for Lookout, speaking to Ars Technica.
"But these guys were cunning enough to sit there for a couple of months doing absolutely nothing and then they pushed out the malware.
"This is a wakeup call for us in the industry to say: 'Bad guys are smart as well and they'll take a look at the security models we put in place and they'll find weaknesses in them. That's exactly what they've done here."