According to Symantec researchers, the apps have been downloaded and installed by over 70,000 users.
Given that a typical mobile user has information of around 50 contacts stored in his device, it is safe to say that the names, phone numbers and occasionally email addresses of millions of users have been exfiltrated by the developers of the apps in question.
"The apps share common programming code so we can assume it is a sole individual or an organization who is committing the crime," say the researchers. "The very first app we confirmed appeared on Google Play around February 10 and more followed until late March."
"Originally the apps posted were not game related, but were random ones including apps of an erotic nature, a contact management app, a recipe app, and a diet assistant app to name a few. But the number of downloads were low. Then in late March, a bunch of apps with names ending in “the Movie” were released. These apps caught the attention of a large number of users who installed them."
The apps targeted Japanese users, and asked for three permissions:
While the first permission seems logical, the remaining two would not actually be needed if the apps were legitimate and did exactly what they claimed (i.e. show a movie).
Unfortunately for the users who installed them, the apps would first send their contacts and their Android ID and phone number to a remote server, then download and play the appropriate movie from the same server.
If the app didn't succeed in exfiltrating the data, it would simply notify the users that an error has occurred and the video has not loaded.
"The purpose of this attack is not clear; however, a strong assumption is that the scammers are harvesting emails addresses and phone numbers to use for their next round of malicious activities, such as spamming scams by email or calling individuals to attempt to defraud them," the researchers comment.
"It is interesting to note that these apps post the personal data to a hosting server known to distribute Android.Oneclickfraud variants," the researchers add. "The information that Android.Oneclickfraud attempts to steal is also exfiltrated to the same server. Could it be a coincidence here or is there some relationship between the two malware?"
The apps in question have now been booted out of Google Play, but given that some of them have been around for quite a while and Google hasn't spotted them, users are advised not to consider everything they download from Google Play as safe.
In this particular case, one of the things that should have made the victims suspicious is the fact that the app name given on the market doesn't correspond with the app name when it's installed on the device.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.