Despite numerous promises from Google LLC and occasional crackdowns, cryptojacking apps — apps that hijack a mobile device to mine cryptocurrencies — have once again been discovered in the Google Play store.

A week after a report from the Cyber Threat Alliance found that cryptomining detections spiked 459 percent this year, securities researcher at Sophos Ltd. Monday said they’ve discovered at least 25 Android apps in the official Google Play store containing code that mines cryptocurrencies in the background.

The apps were disguised as games, utilities and educational apps, but unbeknown to downloaders, they contain embedded code from Coinhive that enables the app to mine for the Monero cryptocurrency. Eleven of the 25 apps were preparation apps for standardized tests given in the U.S. published by a single developer account called “Gadgetium.”

Combined, the discovered apps are believed to have been downloaded around 120,000 times.

In an arguable positive, the apps were found to be using throttling to limit processor usage by mining. That means they were less likely to be detected or cause mayhem in the process such as device overheating, high battery drain and overall device sluggishness, something seen by some code used in cryptojacking attacks last year.

The Sophos researchers said they informed Google of the apps in August, but only a few have been removed, leaving the majority available for download.

In Google’s defense, it is a numbers game with Google Play and detecting these apps is sometimes like finding a needle in a haystack. Nonetheless, Sophos researchers argued, if they can find them, so should Google. In this case, a simple scan for Coinhive code embedded in apps allowed the researchers to discover the malicious apps.

Image: Sophos