A new report has found that hackers have been loading advanced Android malware onto the Google Play Store for years.

Kaspersky Lab was first alerted to the issue in July 2019, prompting them to investigate. What they found was a variety of malware that, rather than trying to display ads or steal the victim’s money, worked to create a backdoor on infected devices that could be exploited with custom malware payloads.

The malware apps used a variety of sophisticated techniques to bypass Google’s approval process, including what essentially amounts to a bait-and-switch. The apps would often install with little to no permissions required, only to gain the necessary permissions later. In other cases, the apps would install a benign version, and then create the backdoor at a later date. Once a phone was infected with a malicious version, hackers then had an access point that provided a wealth of information.

“Functionality of all samples are similar – the main purpose of spyware was to gather sensitive information,” writes Alexey Firsh and Lev Pikman. “While the basic functionality was not very broad, and included geolocation, call logs, contact access and SMS access, the application could also gather a list of installed applications, as well as device information, such as model and OS version. Furthermore, the threat actor was able to download and execute various malicious payloads, thus, adapting the payload that would be suitable to the specific device environment, such as Android version and installed apps. This way the actor is able to avoid overloading the application with unnecessary features and at the same time gather information needed.”

This is a particularly disturbing discovery and, hopefully, Google will be quick about resolving their vetting process issues to ensure this kind of malware does not continue appearing on the Google Play Store.