The malware, dubbed AdultSwine, displayed pornographic images that looked like ads but were actually created to prompt users to download fake security software and, getting users to click on links they then have to pay for.
OnePlus has recently announced a data transfer app called the OnePlus Switch to simplify data transfer between Android devices. "We appreciate Check Point's work to help keep users safe".
"It's insidious as it originates in apps downloaded from trusted sources such as Google Play".
"Apps infected with the nasty "AdultSwine" malware are able to cause emotional and financial distress", said Check Point in a blog post.
While they appeared as such, the pornographic images displayed were not actually Google ads.
Google has removed more than 60 apps from the Google Play store after security researchers found they were exposing children to hardcore pornography. Then there were some ads that tried to trick the user into giving up their phone number by telling them that they had won a prize.
The researchers also discovered that the malicious code can move laterally within the phone's infrastructure, opening the door for other attacks, such as user password theft.
In this case, the hidden code inside the offending apps, dubbed AdultSwine, will either show pornographic ads from a third-party server or through the code's own ad library, Check Point said.
However, with the number of apps on Google Play estimated at more than 3m, according to Statista, lurking malicious code is sometimes spotted and reported only by users or cyber security firms.
AdultSwine's third malicious activity is to charge the victim's account for fraudulent premium services they did not request.
It might, for example, show an ad claiming "the user is entitled to win an iPhone by simply answering four short questions", Check Point explained. One user says, "Don't install for your kids".
A complete list of the affected apps is available in Check Point's report.
"Due to the pervasive use of mobile apps, "AdultSwine" and other similar malware will likely be continually repeated and imitated by hackers".