One final nightmare for anyone who has been unlucky enough to install it is the fact it can also collects information about victim’s device (country, network type, vendor, smartphone model, email address, IMEI, IMSI), which is then forwarded to the cybercriminal’s server.

Here’s everything that this threat is capable of:

• Open links received from the remote server in an invisible window (whereby the malware verifies that the user is connected to a mobile network).

• After a certain number of screen unlocks, hide itself from the apps menu.

• Check the availability of AccessibilityService rights and, if not granted, periodically issue a phishing request to the user to provide them.

• Disable Google Play Protect.

• Create shortcuts to advertised sites in the apps menu.

• Download apps from the third-party “market” Apkpure[.]com and install them.

• Open advertised apps on Google Play and “click” to install them.

• Replace shortcuts to installed apps with shortcuts to advertised sites.

• Post fake reviews supposedly from the Google Play user.

• Show ads when the screen is unlocked.