85 apps in Google Play that collectively have been installed nine million times by users all over the world came with an adware strain capable of pouring fullscreen adverts at regular intervals or when the user unlocks the device.
None of the apps had real functionality and their true purpose was to make money for their developer by dropping a deluge of advertisements on the devices that installed them.
Attractive adware wrap

The fake apps were disguised as games (car simulators), apps for streaming television channels from various countries (Brazil, Canada, South Africa, Spain), or posed as remote controllers for TV sets.
Malware researchers at Trend Micro say that the adware (detected as AndroidOS_HidenAd) distributed this way could hide itself and run in the background, and monitor the lock state of the device.
The most popular of the fraudulent apps was Easy Universal TV Remote, last updated on November 12, 2018. It is unclear how long it survived in Google Play, but it accumulated over five million installations.
If the rating and the number of user reviews provide any clue about the longevity of the fake app, this one has an average of 3.9 stars from over 132,000 Android users.

Its changelog shows details from version 1.2, when the developer announced compatibility with Ikea televisions (Uppleva), a project the retailer started in 2012 and is at the second generation since 2014.
Different devs, similar ad-pushing tactics

Ecular Xu of Trend Micro says that all apps delivering the HidenAd adware show similar behavior, despite coming from different developers and being signed with different certificates.
When the user launches the adware on the device it serves an initial fullscreen pop-up. Closing the ad reveals what appears to be an app button ('start,' 'open app,' 'next') but tapping it triggers another fullscreen ad.
"After the user exits the full-screen ad, more buttons that provide app-related options for users appear on the screen. It also prompts the user to give the app a five-star rating on Google Play. If the user clicks on any of the buttons, a full-screen ad will pop up again," Xu explains in a blog post today.
If the user insists on using the app, a loading screen appears and the fake app's interface vanishes. It still runs in the background, though, launching an add every 15 or 30 minutes.
Another behavior of the adware-laden apps is to push ads every time the user unlocks the device screen.

Google needs a better broom for its Play store

The 85 fake apps discovered and reported by Trend Micro are not the only ones pulling a fast one on Android users.
Another recent example is a weather app installed at least five million times according to statistics in Google Play available via a page capture in the Wayback Machine. It is developed by Chinese developer TCL*and it also comes pre-installed on some*phones from Alcatel (owned by Finnish company Nokia and used under license*by Chinese electronics company TCL Corporation).

Mobile security company Upstream found*that the variant available in Play store asked for a set of "special and high-risk permissions" an app of its kind does not require for normal functioning, such as reading low-level system log files.
What the Upstream investigation found was that the app was running ad-fraud activities behind users' back by accessing various web pages with advertisements without any interaction.
Its activities cost victims 250MB of mobile traffic every day and subscribed them to a premium service in Brazil. Upstream estimates that the fraudulent weather app generated over 27 million transaction attempts, which could have cost users $1.5 million in unauthorized charges.
Google has removed the apps reported by Trend Micro and the one analyzed by Upstream.