Once downloaded, the malicious apps displayed "highly pornographic" pop-up advertisements in a new web page, and attempted to scare users into installing fake security apps.
The malware, dubbed AdultSwine by security shop Check Point, was found in apps like "Drawing Lessons Lego Star Wars", "Fidget spinner for Minecraft" and "Spinner Toy for Slither", along with a large number of Android games.
The apps so far had been downloaded between 3 million and 7 million times, the researchers said, citing Google Play's data.
Affected apps include Five Nights Survival Craft, with between 1 million and 5 million downloads, and Mcqueen Car Racing Game, which has been downloaded at least 500,000 times. "We appreciate Check Point's work to help keep users safe", said the spokesperson.
Although Google actively scans the Play store for malicious code, policing its vast, ever-evolving catalog of apps is a challenge. Numerous games were aimed at children. "I did and my son opened it and a bunch off thilthy [sic] hardcore porn pictures popped up". Whereas previously, apps could qualify simply by implementing enhanced notifications, Google's planned policy change for January 18th, 2018 imposed some stricter restrictions.
The inappropriate ads being displayed come from two main sources, Check Point said: mainstream ad providers and the malicious code's own ad library (where the porn ads stem from). If the user clicks through, the malicious code eventually asks him to enter his phone number to receive the "prize", which, of course, is a ploy.
"We've removed the apps from Play, disabled the developers' accounts, and will continue to show strong warnings to anyone that has installed them", Google said in an emailed statement. While most apps on the store are easy to use, very few support transfer of call logs, messages, photos etc. Google too has its proprietary backup system.
The malware also attempts to lure unsuspecting patrons into registering for fake premium services.