Google’s Play Store unknowingly hosted a fake cryptocurrency app that actually modifies users’ crypto wallet addresses once they’re copied to the clipboard, researchers are reporting.

This Android-based “clipper” malware, as it’s called, secretly changes the wallet address to one hosted by the attackers, allowing them to steal victims’ digital coin transactions, explains ESET researcher Lukas Stefanko in a Feb. 8 company blog post.

Clipper malware first came to light in 2017, and found its away into unofficial third-party app stores by 2018, but this is the first-ever case of it sneaking into the Play Store, ESET claims.

Dubbed, Android/Clipper.C, the malware impersonates MetaMask, a legitimate service that allows cryptocurrency users to run Ethereum decentralized apps in a browser without running a full Ethereum node. But here’s the problem: MetaMask in real life doesn’t actually have an Android app — only browser-based apps.

“Several malicious apps have been caught previously on Google Play impersonating MetaMask,” Stefanko states in his blog post. “However, they merely phished for sensitive information with the goal of accessing the victims’ cryptocurrency funds,” rather than changing content saved to clipboards.

In this case, Android/Clipper.C malware acts has dual functionalities: It can steal victims’ credentials and private keys for accessing their Ethereum funds, or it can alter Ethereum and Bitcoin wallet addresses whenever they’re saved to an infected device’s clipboard. The clipper technique is effective, Stefanko explains, because users frequently cut and paste their long, complicated wallet addresses rather than having to type them out.

ESET says the clipper was added to the Play Store on Feb. 1, adding that Google promptly removed the malware after ESET researchers notified them of the phony app.