Up to 10 million Android phones have been hit by malware used to generate false clicks on adverts, security researchers at Checkpoint and Lookout have warned.
The malware is also known to install apps and monitor users’ browsing habits on infected devices. The study suggests that this malicious software is currently generating profits of $300,000 (£232,000) a month for its developers.
The software, referred to as Hummingad by Checkpoint and Shedun by Lookout, is a type of malware known as a rootkit. It works deeps within a device’s operating system to give cybercriminals complete control of a handset. Controllers can then click on adverts to increase their apparent popularity and install unwanted apps.
Kirsty Edwards from Lookout explained that Shedun is resilient to user attempts to remove it from their phones. She said: “It can remain persistent even if the user performs a factory reset. It uses its root privileges to install additional apps on to the device, further increasing ad revenue for the authors and defeating uninstall attempts."
Shedun controllers exploit loopholes in older versions of the Android operating system including KitKat and JellyBean to install the malware on phones.
In a statement, Google said: ""We've long been aware of this evolving family of malware and we're constantly improving our systems that detect it. We actively block installations of infected apps to keep users and their information safe."