A SophosLabs researcher discovered two new Android malware variants hidden inside apps available for download in the Google Play store. The first variant, dubbed “Guerilla,” was found in 15 seemingly-legitimate apps and is described as a fully functioning backdoor, allowing threat actors to download additional malware onto infected devices. The threat actors push aggressive ad-click plugins to the victims, covertly generating ad revenue for the perpetrators. The second malware, dubbed “HiddnAd,” was hidden in seven different apps, including six QR code-reading apps and one “smart compass” app. The malicious apps were downloaded hundreds of thousands of times and bypassed security in the Play store by delaying malicious activity until six hours after installation. Once the malicious activity began, pop-up advertisements would display on the victim’s device as well as Android notifications containing links that, if clicked, generated ad revenue for the threat actors. Google has since removed the infected apps from the Play store. The NJCCIC recommends Android users review the Sophos reports on the Guerilla and HiddnAd malware variants for a list of affected apps and, if installed, immediately remove the apps from the device. Additionally, we recommend running a reputable antivirus application on all devices, refrain from downloading apps that require excessive device permissions, promptly remove apps that execute unexpected or unwanted behavior, and keep all device software and apps updated to the most recent version.