Sophos has detected a new type of Android malware called 'Andr/HiddnAd-AJ' that piggybacks at least six QR code reader apps previously available to download from the Google Play store. Once installed on user devices the malware waits six hours and then bombards the users with ads and notifications. It's believed to have been installed on at least 500,000 devices.
Should you be worried?
Following the discovery, Google has removed the offending apps from the Google Play store and pulled them from user devices. This means that if you've downloaded apps only from the Google Play store you have nothing to worry about.
If you think you might have downloaded something dodgy outside the Google Play store and that it remains on your device, follow our steps for how to remove an Android virus.
What to do next
This particular virus appears to have been stopped in its tracks for now, but it highlights the fact that even sticking purely to the relatively safe confines of the Google Play Store isn't always enough to keep you safe. Although Google vets every app, sometimes things can go under its radar.
We still recommend using Google Play wherever possible, but you should always keep your wits about you when downloading any new app. If you witness rogue behaviour following the installation of an app, don't ignore it.
Read next: Does Android need antivirus?