Hundreds of thousands of Android users fell victim to malware embedded in QR code apps. According to researchers at SophosLab, the malware called Andr/HiddnAd-AJ was found in seven apps of which six were QR code reader apps and one was a smart compass app.

Although Google has already removed these apps from the Google Play Store, it was not before they were downloaded more than 500,000 times.

“The adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app.

“By adding an innocent-looking ‘graphics’ subcomponent to a collection of programming routines that you’d expect to find in a regular Android program, the adware engine inside the app is effectively hiding in plain sight,” said the report.

Despite the malware, the apps still worked. The QR code readers, for instance, could still scan QR codes. So if a user was just trying out apps for fun and deleted it soon after, he or she won’t be exposed to the malware as it only kicked in six hours after the installation.

Users unlucky enough to continue using it were avalanched by adware that filled the entire screen and when they opened the web browser.

“For all its apparent innocence, however, this malware not only pops up ads, but can also send Android notifications, including clickable links to lure users into generating ad revenue for criminals,” the report stated.

Despite the hiccup, Sophos advises users to stick to Google Play as the company does at least carry out some pre-acceptance checks for apps and games.

“Many off-market Android app repositories have no checks at all – they’re open to anyone, which can be handy if you’re looking for unusual or highly specialised apps that wouldn’t make it onto Google Play. But unregulated app repositories are also risky, for all the same reasons,” it stated.