More than 100 Android applications that were downloaded over 4.6 million times via the Google Play Store were found to contain malicious code that delivers unwanted, out-of-context (OOC) advertisements to users.

The code, a software development kit called Soraka, typically delivers its first OOC ad just after a device is unlocked, according to a new blog post report from researchers at White Ops, who discovered the threat. If the user clicks the home button to minimize this ad, a second unwanted ad appears. A third OOC ad soon follows as additional actions are taken.

In order to perpetrate its ad fraud activity, Soraka “first removes a background notification services that stops ad fraud activity when the phone screen is off,” a White Ops company blog post states. “There is also code initiating fraud activity only while the device screen is on and the host app is not on top,” the report continues.

Soraka, which in come cases is accompanied by a similar variant called Sogo, was observed in programs that included various sleep/bedtime assistance and alarm apps, puzzle and brainteaser apps, prank apps, file manager apps and more. In its blog post, White Ops highlighted the Best Fortune Explorer App, which offers to make predictions’ on users’ futures. Published by JavierGentry80, the app was released last September and has been downloaded more than 170,000 times.

According to White Ops, Soraka leverages the “AppsFlyer” mobile attribution and marketing analytics framework, and will only deliver the OOC ads if the framework determines that the app was installed as the direct result of a promotional effort on the part of the fraud actors. Soraka checks filters such as “Screen On,” “Top Activity,” “Interval Since Installation” and “Ad Network Daily Count Limit” in order to find devices that are best suited for fraud, while avoiding detection “from automated analysis and other services that would install the app ad-hoc and then, most likely, be considered as organic by AppsFlyer,” the blog post continues.

White Ops did not indicate if Google was privately notified of the ad fraud apps or if the programs were removed from the Google Play Store. SC Media has reached out to both Google and White Ops for additional details.