Zscaler researchers discovered an Android malware masquerading as a security feature for AliPay, a Chinese online payment app similar to PayPal with a large customer base and used by 65 financial institutions, including Visa and MasterCard.

“The fake app is a malicious SMS stealer Trojan” that appears as "Security Controls" to hoodwink victims, they wrote in a blog post. Once it's installed, the app hides and the icon vanishes. It then registers Android services to steal SMS and sends them along to the C&C server. Unbeknownst to the victim, who may believe the app had been removed by the Android OS because it was faulty, the malware lurks in the background and does its dirty work through services. Removing the “app” is easy, the researchers said.

Alipay doesn't impose transaction fees and is used by more than 300 merchants globally.