Antivirus company McAfee published its findings on the presence of a new kind of malware in a large number of Google Apps, which could make your Android smartphone vulnerable to hacking. The malware, which has been called “Grabos,” was initially discovered in lines of code of several apps.

Users are at a risk of installing such apps since these apps seem to have fooled Google’s safety checks and have also received a high rating on the Play Store.

Most of these apps were launched on the Google Play Store as recently as August. The first such application was the Aristotle Music Audio Player 2017, which was a free audio player available on Google Play. The app had been installed between 1-5 million times, even though some users had commented that it was malware.

Going by the list of apps published by McAfee in its blog post Sunday, most such apps seem to be music-themed and are either music players or music downloaders which let users listen to or download music for free. These apps then ask the user repeatedly to rate them on the Google Play store.

These apps seem to have been rated as high as 4.4 which is the same as Shaza, a verified safe music recognition app.

What’s interesting is how these apps have fooled the Google Play Store safety check. When such apps are installed, the malware is injected into the file explorer on your device and into your music player applications. They then check if your device is connected to the internet and whether the Developer Settings on your device are enabled. It also checks whether your device’s control server can flag malware.

If it receives a positive response to any of these parameters, a fake app is launched — the infected app works like any regular app. However, if such checks are not activated on your device, the real app launches. Then it tries to infect your device with malicious files.

These apps resemble functionality of real apps which is hidden inside a malware package. Two alternate lines of code are available to the app and it will determine which one will run based on if it can pass safety checks on your device as well as the Google Play Store.

These apps then collect information from your device including:

  • android_version
  • build_model
  • install_referrer
  • network_country
  • sim_country
  • carrier_name
  • language_code
  • country_code
  • time_timezon0065

It also collects your IP address, geographical location, and also determines whether your device is rooted or not. If yes, the data is rooted to a remote server.

McAfee listed 144 apps to Google which have been removed from the Play Store. According to the company, these apps were being used only for running spam ads on Android devices.

“During our analysis of this threat, the control servers always provided empty parameters for the custom notifications to trick users into installing applications. Taking into account the functionality to display ads and the high number of downloads, we believe the main purpose of Grabos is to make money by promoting the installation of apps,” McAfee said in its blog post.

However, the extent of the information collected and the devices affected could easily land in the hands of cybercriminals who could hack into your device. It is therefore advisable not to use third-party apps to download free music or free functionality, even if they have received a high-rating in the Google Play Store. You might be better off downloading more well-known apps such as Pandora or Spotify.

If you still want to install such apps, a simple check that you can perform while using such apps would be to check if they are available both in the iTunes Store and the Google Play Store. On an Android device, you will be able to do this by going to the iTunes Store webpage. You can then ensure that the app has passed through the checks on both app store.