Compromised versions of the mobile game were found on 3rd-party sites.
Nintendo’s new Pokémon GO augmented reality game has quickly proven to be a cultural phenomenon, juicing the company’s stock. But it is only available in certain countries right now, leading some players to install the game from third-party sources. Now, a malicious version of the software is poised to infect Android phones with code that provides hackers a backdoor to their phones.
Get Data Sheet, Fortune’s technology newsletter.
The exploit was discovered by the security firm Proofpoint. Proofpoint researchers found a version of the Pokémon GO program that included a remote access tool, or RAT, called Droidjack, which they say can give an attacker “full control over a victim’s phone.”
The malicious version of the game was uploaded to a file sharing service on July 7th, just a few days after the game’s official release. Though they say they have not observed the malware in action “in the wild,” Proofpoint provides a few methods for concerned players to determine if they’ve inadvertently downloaded a compromised version of the game.
For more on cybersecurity, watch our video:
One of the major features distinguishing Android phones from iPhones is their ability to “side load” files downloaded from sources outside of Google’s Play Store. This allows users more flexibility, but is also, as Proofpoint puts it, “an extremely risky practice,” and part of the reason Android systems are more vulnerable to viruses and hacking than iPhones.
This is also not the first problem for Pokémon GO, which exactly thanks to its immense popularity experienced significant server issues at launch.