Security researchers claim to have discovered one of the biggest outbreaks of Android malware ever to sneak its way from the Google Play Store onto people’s devices.
The campaign consisted of dozens of malicious apps that sent fraudulent premium text messages and charged people for fake services, according to researchers at Check Point Software Technologies (CHKP), an Israeli cybersecurity giant that published a report and blog post about the attack on Thursday. In total, the infection spread to as many as 21 million victims, the company said.
“This was one of the most extensive malware campaigns to infiltrate Google Play Store, both in size and in its malicious effect,” Daniel Padon, mobile threat researcher at Check Point, tells Fortune. Unlike most malware found on Google Play, this “directly inflicts harm to users,” he said, meaning that the attacks ran up people’s phone bills, rather than solely, say, spinning up bots that generate revenue by clicking on bogus ads.
The researchers dubbed the malware “ExpensiveWall” after one of the booby-trapped apps, “Lovely Wallpaper,” which claimed to offer a selection of background images for phones. Other infected apps included ones named “I Love Filter,” “Tool Box Pro,” and “Horoscope.”
Get Data Sheet, Fortune’s technology newsletter
At least 50 apps, which Android users downloaded as many as 4 million times, featured an advanced form of the malware that used “packing,” a technique that compresses code with encryption, effectively masking it. This measure allowed the malware to evade Google’s security filters, the researchers said.
The infections spread further and wider than any other Google Play Store-distributed malware, except for a May campaign called “Judy,” which infected as many as 36 million devices, as Forbes notes. The security firm McAfee identified an early variant of the ExpensiveWall malware in January.
The Check Point team alerted Google to the cybercriminal scheme on Aug. 7, it said, and the search giant subsequently removed the apps from its app store. The researchers noted that even after the supposed eradication, another version of the malware snuck its way onto the Google Play Store, reaching 5,000 devices before Google evicted it four days later.
“We’ve removed these apps from Play and always appreciate the research community’s efforts to help keep the Android ecosystem safe,” said Aaron Stein, a Google spokesperson.
Despite the scammers’ success in tricking people to download the malicious apps, reviewers posted plenty of warnings on Play Store’s comments pages. “Virus detected,” said one. “Spam app,” wrote another. “Scam!!!” warned a third.
“It is NOTHING like the ad on Instagram,” wrote one disgruntled user. “DO NOT DOWNLOAD IT.”
Based reviews like the above, Check Point researchers have speculated that the apps were promoted through ads on various social networks, including Facebook’s (FB) Instagram. (Instagram did not reply with a comment to Fortune’s request for more information.)
“To protect themselves, users should make sure none of the apps listed was installed on their device,” Padon says. If any appear, people should manually remove them.
Check Point said it would post a full list of known malicious apps on its website for people to check against.
