Anyone who installs the compromised apps will find they have full messaging functionality. But in the background, according to Lookout, the apps are able to hijack a variety of basic phone functions. That includes making outbound calls, sending text messages, and harvesting call logs, contacts, and Wi-Fi data.

According to Lookout, a developer, possibly based in Iraq, built over a thousand malicious messaging apps by weaving spy functions into the public source code for a legitimate (and quite popular) messenger app called Telegram. The developer rebranded the resulting apps with names including Soniac, Hulk Messenger, and (in an apparent bit of humor) Troy Chat. Those three were actually successfully listed on Google Play (GOOGL), though they’ve since been pulled.

Get Data Sheet, Fortune’s technology newsletter.

In an email to Ars Technica, Lookout researcher Michael Flossman said that the apps might also be distributed through direct phishing texts with download links, or through non-Google app markets. For instance, there’s still a listing for Soniac on a site called App Geyser.

“The actors behind this family have shown that they’re capable of getting their spyware into the official app store,” Lookout writes, “and its build process is automated.” That suggests similar deceptive apps could make it into the Play Store again.

The use of stealthy Android applications to spread malware is becoming increasingly common and sophisticated. While the SonicSpy trojanware looks fairly low-rent, researchers in May uncovered malware being distributed through the fairly polished and popular “Judy” series of cooking and lifestyle games, which had also outsmarted Google’s screening process.

According to Lookout, as many as 47 out of 1,000 Android devices has “encountered an app-based threat.”