A group of cybersecurity researchers from Dr. Web claims to have spotted a number of apps on the Google Play Store in May with built-in adware and information-stealing malware.

The most dangerous of these apps, according to the report, is spyware tools capable of stealing information from other apps’ notifications, mainly to capture one-time two-factor authentication (2FA) one-time passwords (OTP) and take over accounts.

The majority of the apps containing the allegedly malicious code had been removed by the Play Store, but three remain online.

One is PIP Pic Camera Photo Editor, a malicious app with over a million downloads that reportedly steals people’s Facebook credentials.

Other apps in the Dr. Web list (including those that are no longer online) are Wild & Exotic Animal Wallpaper, an adware app that changed its name to SIM Tool Kit after installation that currently has 500,000 downloads and Magnifier Flashlight, an adware app with 10,000 downloads. 

The list also includes PIP Camera 2022 and ZodiHoroscope – Fortune Finder, both Facebook credential-stealing apps.

More broadly, Dr. Web researchers said that while apps stealing apps’ notifications content had overall decreased in May, the activity of advertising trojans had increased throughout the month.

“In May, Android.Spy.4498, which steals information from other apps’ notifications, was again the most common mobile threat,” reads the report.

“That said, its activity continued to decrease. Advertisement trojans from the Android.HiddenAds family also remained among the most widespread Android threats. Their activity, on the contrary, increased slightly compared to April.”

The report also highlighted the presence of new malicious applications emerging on Google Play.

“Among them are fraudulent apps from the Android.FakeApp family and Android.Subscription trojans that subscribe users to paid services. Above that, new variants of trojans from Android.PWS. Facebook family were revealed.”

The report comes days after Google published its monthly Android security bulletin, which fixed a number of critical vulnerabilities.