The virus was unearthed by tech security researchers, and users of the app have been advised to update their software immediately.
The maintenance app is run by British company Piriform, a subsidiary of Avast, one of the world’s biggest anti-virus companies.
“We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191,” Paul Yung of Piriform said in a statement.
“We also immediately contacted law enforcement units and worked with them on resolving the issue.”
The company added that the rogue server is down and other potential servers are out of the control of the attacker.
“Supply chain attacks are a very effective way to distribute malicious software into target organizations,” Cisco’s threat intelligence group, Talos, explained in a blog about the hack.
“This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer.
“This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons.”
Talos notes that the sophisticated attack could be severe because of the “extremely high number” of systems possibly affected.
In November last year the CCleaner app was downloaded more than 2 billion times, according to the company, and is installed by desktop users at a rate of 5 million a week.
“If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes,” Talos added.
The Talos blog notes that the nature of the attack code suggests that the hacker gained access to a machine used to create CCleaner.
The virus experts said that affected systems need to be reinstalled or restored to a state before August 15.
“At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing,” Piriform’s Yung said.