Though the app appears to have been pulled, ESET reports that, when downloaded and run, the app installed not Pokémon Go, but something called “PI Network.” Anyone who ran that app would find their phone completely frozen, forcing them to restart the phone by removing the battery. After rebooting, the PI Network app seemed to disappear, but in fact continued running in the background and generating fake ad clicks.

Get Data Sheet, Fortune’s technology newsletter.

Victims of the app can find and uninstall it manually by going to their phone’s application manager.

ESET also spotted several other malicious apps, including one called “Install Pokemongo” (sic) and one called “Guide & Cheats for Pokemon Go.” Other apps promise to generate free in-app items, including Pokeballs, Pokecoins, or Lucky Eggs—but in the end, all of these are bait-and-switches, which ultimately “attempt to mislead the user into subscribing to expensive bogus services.”

The plague of malicious tricks surrounding the augmented-reality game highlights the security risk posed by Android’s relatively open app ecosystem. Though the specific apps highlighted by ESET seem to have been removed from the Play Store, a search this morning found several apps named with variations on “Install Pokémon Go.” The apps promise tips and tricks for ‘side-loading’ the game—installing it using unofficial files—a particularly appealing pitch for gamers in regions where the game isn’t available yet.

For more on Pokémon Go, watch our video.

But given the continuing plague of malicious fakes, tempted users should probably approach any non-official install file or method with extreme caution, and be circumspect even when installing support apps for the game.