Google Play Store has a malware problem. And it doesn’t seem to go away despite the company’s best efforts to rein in sketchy apps.

In a yet another instance of Android adware, New Zealand-based independent security researcher Andy Michael found four Android VPN apps with cumulative downloads of over 500 million that not only serve ads while running the background, but are also placed outside the apps, including the home screen.

The apps in question are Hotspot VPN, Free VPN Master, Secure VPN, and Security Master by Cheetah Mobile. It’s notable that all these apps originate from Hong Kong and China, where citizens have typically relied on VPNs to get around the Great Firewall.

The apps are live on the Play Store to this date. But in an interesting twist, the apps containing the adware were all VPN or antivirus apps, suggesting that developers are increasingly banking on users’ trust in security-related apps to commit ‘outside ad fraud.’

Disruptive ad behavior

Apart from containing advertisement APIs from both Google and Facebook, Hotspot VPN, developed by HotspotVPN 2019, contained obfuscated code to show full-screen ads at any given point of time — irrespective of whether the app was running in the foreground or otherwise — resulting in significant battery and CPU usage.

Free VPN Master developed by Freemaster2019, likewise, shared the same code for serving Google ads, with both APK files having the same code structure and files.