According to Lookout, as many as 47 out of 1,000 Android devices has “encountered an app-based threat.”
In an email to Ars Technica, Lookout researcher Michael Flossman said that the apps might also be distributed through direct phishing texts with download links, or through non-Google app markets. For instance, there#8217;s still a listing for Soniac on a site called App Geyser.
“The actors behind this family have shown that they’re capable of getting their spyware into the official app store,” Lookout writes, “and its build process is automated.” That suggests similar deceptive apps could make it into the Play Store again.
According to Lookout, a developer, possibly based in Iraq, built over a thousand malicious messaging apps by weaving spy functions into the public source code for a legitimate (and quite popular) messenger app called Telegram. The developer rebranded the resulting apps with names including Soniac, Hulk Messenger, and (in an apparent bit of humor) Troy Chat. Those three were actually successfully listed on Google Play (googl), though they’ve since been pulled.
The use of stealthy Android applications to spread malware is becoming increasingly common and sophisticated. While the SonicSpy trojanware looks fairly low-rent, researchers in May uncovered malware being distributed through the fairly polished and popular “Judy” series of cooking and lifestyle games, which had also outsmarted Google’s screening process.
Get Data Sheet, Fortune’s technology newsletter.