Google is getting better at keeping Android malware out of the Play Store, and that's leading attackers to use more sophisticated disguises for their rogue apps. SophosLabs has proof: it just detailed a recent ad-spawning malware strain, Andr/HiddnAd-AJ, that slipped into Google Play through innocent-looking QR code and compass apps. While that's nothing new by itself, the malware used a pair of tricks to feign innocence. The hostile code was buried in what looked like a regular Android programming library, and it didn't kick in until 6 hours after you've installed it.
The Google team has since pulled the malware-laden apps, and it typically learns from incidents like this as it refines its anti-malware scanning tools. And Sophos still recommends using Google Play if you can -- while it's not perfect, its scrutiny still make it safer than many third-party stores. Incidents like this mainly serve as reminders to stay skeptical and double-check the nature of apps on Google Play, even if they seem legitimate on the surface.