As much as Google has done to keep malware out of the Play Store, some notable examples still get through. Google has pulled 210 apps from the store after Check Point researchers discovered that they were infected with the same strain of adware. Nicknamed "SimBad" based on the abundance of infected simulator games, the code hid in a bogus ad-serving platform and created a back door that could install rogue apps, direct users to scam websites and show other apps in stores. Check Point believes the apps' developers were tricked into using the platform.
Unfortunately, these weren't just specialty apps with few users. The apps had nearly 150 million downloads, and dozens of them have over 1 million downloads -- the largest (Snow Heavy Excavator Simulator) had over 10 million. The oldest apps were available since March 2017.
We've asked Google for comment. SimBad may have been difficult to stop compared to some malware, since it was piggybacking on otherwise legitimate apps and was focused on serving ads as opposed to stealing data. Even so, this illustrates a familiar problem with the Play Store: Google's current scanning techniques can still miss rogue apps like this, and customers can't always tell that an app is suspicious just by looking at it.