Security researches say that up to 10 million Android smartphones have been infected by malware that generates fake clicks for adverts. The software is also installing apps and spying on the browsing habits of victims. Research suggests that the malware is currently making about £232,000 a month for its creators. The majority of phones that have been comprised by the malicious software are in China.

A spike in the number of phones infected by the malware was noticed separately by security companies Checkpoint and Lookout. The malware family is called Shedun by Lookout but Hummingbad by Checkpoint. Hummingbad is a type of malware known as rootkit that inserts itself deep inside a phone’s operating system to help it avoid detection and to give its controllers total control over the handset. The ability to control phones remotely has been used to click on ads to make them seem more popular than they actually are. The access has also been used to install fake versions of popular apps or spread programs the gang has been paid to promote.

The malware gets installed on handsets by exploiting loopholes in older versions of the Android operating system known as KitKat and JellyBean. The latest version of Android is known as Marshmallow.

Google released the latest security update for Android this month and it tackled more than 108 separate vulnerabilities in the operating system. SO far this year, security updates for Android have closed more than 270 bugs. (8th July 2016)