These viruses were disguised as free wallpaper, camera and video editing apps, but contained a costly side effect. Malware in the apps would secretly register victims for paid services or send fraudulent text messages that people would have to pay for. Check Point named the malware "ExpensiveWall," after finding the majority of the infected apps were fake wallpapers.
ExpensiveWall is actually a new strain of a previously known malware, which McAfee discovered in January on Google Play. "The entire malware family has now been downloaded between 5.9 million and 21.1 million times," said Check Point's researchers in a blog post.
The security company said it notified Google on Aug. 7 about the phony apps, and it quickly removed them. But within days, even more fake apps popped up, and they were downloaded more than 5,000 times before Google removed the new crop.
Watch this: Over a million Google accounts compromised by malware
The fake apps were able to slip by Google's Play Protect, which is supposed to scan Android devices for malicious software, because scammers "packed" the malware, an advanced hiding technique that ducks under Google's radar, Check Point said.
"We've removed these apps from Play and always appreciate the research community's efforts to help keep the Android ecosystem safe," a Google spokesman said in a statement.
Even though Google removed the apps from its store, if you downloaded one, your device is still infected, Check Point's researchers warned.
First published Sept. 14, 7:25 a.m. PT. Updated, 9:33 a.m. PT: To include comment from Google.