You just never know where that malware might be lurking. Even that seemingly harmless QR code reader could have been a target.

That's what SophosLabs security researchers discovered last week, according to a report we learned about on CNET sister site ZDNet. Sophos detected malware that had infiltrated the Google Play Store by way of seven different Android apps: six QR readers and one smart compass.

Callled "Andr/HiddnAd-AJ," the name hints at what the malware does. It blasts users with ads, but "only after lying low for awhile to lull you into a false sense of security," Sophos' Paul Ducklin wrote on the company's Naked Security blog.

"Following installation, the malware waits for six hours before it begins work on its true purpose -- serving up adware, flooding the user with full screen adverts, opening adverts on webpages and sending various notifications containing ad related links," wrote ZDNet's Danny Palmer.

Sophos said the malicious apps were downloaded 500,000 times before they were pulled by Google, which didn't immediately respond to a request for confirmation and comment.

