ARS Technica writes Check Point security researchers discovered that Google's Play store hosted a total of 56 malicious apps that got installed by 1.7 million users. Twenty-four of these apps were marketed to children. The security researchers note these apps were written in native Android code (C or C++), which made them harder to detect than typical Android apps that are written in Java.
Tekya is a family of malware that generates fraudulent clicks on ads and banners delivered by agencies including Google’s AdMob, AppLovin’, Facebook, and Unity. To give the clicks the air of authenticity, the well-obfuscated code causes infected devices to use Android’s “MotionEvent” mechanism to imitate legitimate user actions. At the time that researchers from security firm Check Point discovered them, the apps went undetected by VirusTotal and Google Play Protect. Twenty-four of the apps that contained Tekya were marketed to children. Google removed all 56 of the apps after Check Point reported them.
Additionally, security researchers from Dr.Web discovered an undisclosed number of Google Play apps with Android.Circle.1 malware. These apps were downloaded over 700,000 times. All reported apps have been removed by Google. If things work as intended, this process also involves the installation of malicious apps on user devices.