Android malware that infiltrated Google Play seems to be on a larger scale than previously thought, and more malicious apps now haunt the playground.

New evidence shows the family of Android malware that reached Google Play was folded into three additional apps and has at least 10 months of operation, security researchers warn.

According to Bitdefender researchers, the malicious ad network library called "BadNews" made its way into at least 35 different apps that were available for download on Google servers. Google removed as many as 32 apps, but the company's security personnel did not remove the additional three apps until Bitdefender flagged them this weekend.

Apps that carry BadNews code upload phone numbers, unique device identifiers, as well as other data from infected phones and prompt end users to download and install fake updates for legitimate apps such as Skype. The Bitdefender report on Monday, April 22, came after security firm Fortinet reported the deactivation of a Google Play developer account that was pushing a suspicious app.

It remains unclear at this point why Google security personnel removed the three additional malicious apps only after Bitdefender flagged them. The code may use polymorphism to keep from showing tell-tale signatures that Google's Bouncer cloud-based scanning service could catch. A gloomier possibility, meanwhile, is that Google stopped running scans on its existing base of apps after receiving last week's report. Google representatives declined to comment on the matter.

"We've been saying for a while that there's aggressive adware that collects your data, collects all kinds of stuff on you, but now you can actually bypass Google security by using the custom-made adware framework," Bitdefender researcher Liviu Arsene tells Ars Technica. "As long as I convince enough developers to use my adware framework, I can push any type of content I want through that framework."

BadNews promotes a number of malicious apps, including AlphaSMS, a trojan that adds charges by sending text messages to expensive services. According to Arsene, the malicious BadNews code library used to push such apps has existed since at least June 2012, but some apps did not initially display the fake update notifications.

"Although it didn't feature the push notification telling users to install fake updates — like the Skype update, for instance — it did have the function built into it," Arsene further explains, as cited by Ars. "It was kind of like someone was testing it but they didn't actually go along and have the malware. Somebody was testing the adware framework before it actually went and disseminated malware."

As Google's Android is a very popular platform, malware targeting Android is constantly growing. To protect against such malicious apps, Android users should consider running a smartphone antivirus app and avoid downloading and installing apps from sources other than Google Play. It's obvious that not even Google Play is safe from malware, but it does add an important layer of defense that reduces one's chances of getting infected.