Sneaky Malware found and removed on Google Play

Google found and removed eight apps from the play store that was secretly malware.

The apps appeared to be a mixture of Android cleaners and news apps. They functioned and behaved like legitimate apps.

However in the background they would decrypt and then execute a first stage payload. That payload would in turn decrypt and execute a second payload. Finally that payload would decrypt and execute a third-stage payload which happened to be a malicious app. They were kind of like Russian nesting dolls, where the smallest doll turns out to be really bad.

These apps would then open up fake login forms to try to steal bank credentials or credit card details. Just one of these apps had been downloaded 3000 times with most of it happening in the Netherlands.

What to do if you have fallen for this trick

People who have downloaded one of these apps need to deactivate the admin rights for the last payload, after that they will be able to uninstall the rest of the apps.

This is how you do that:

  • Settings > (General) > Security > Device administratorsand search for Adobe Flash Player, Adobe Update or Android Update and deactivate the rights for them, then go to
  • Settings > (General) > Application manager/App, search for those fake apps, and uninstall them. Finally, go to
  • Settings > (General) > Application manager/Apps, search for the original malicious app and uninstall it.