Security firm Symantec has reportedly found a number of malicious apps that were previously kicked out of the Google Play Store, now back with new developer names, new app names, and new icons that ape Google's own app selection. The apps in question are duplicates of malicious apps that previously slipped past Google's protections, right down to the last line of malicious code. These new apps are the return of a malware class known as Android.Reputation.1, which first appeared all the way back in 2014.
For those who never read about the previous infestation, this particular malware appears in apps that don't actually do what they're advertised to do. Instead, after a few hours, they hide themselves and begin their malicious behaviors. It all starts with the apps asking for device administrator privileges, as many malware tend to do. If those permissions are granted, the app can not only hide, but perform a number of actions on the device and keep the user from uninstalling it. From there, the app will redirect users to scam web pages at random, and will pull ads from Google to make the malware creators some profit. The apps all connect to a command server, which means that they can use their administrative privileges to do just about anything, though it's worth noting that none of the variants Symantec has found have actually received further instruction from the server as of this writing.
While identity theft and selling user data can be extremely lucrative, it seems like all this malware is set to do is serve ads and other unwanted content to make the malware's creators a quick buck. This behavior is annoying, to be sure, but not entirely dangerous in and of itself. Users are still cautioned to be very careful of what they download, and to stick to the Play Store when possible, even if its protections aren't infallible. Just about any mobile antivirus program that gets administrative privileges on your device, such as Lookout or Symantec's own solutions should be able to remove any malware in the Android.Reputation.1 family, seeing as the codebase has not changed since 2014.