Google has taken down hackers’ Gmail accounts that were receiving stolen information from a malware app called “Google Play Stoy,” which intercepts banking credentials, certificates and text messages, according to a Wednesday blog post from FireEye, which worked with Google to remove them.

The application eluded detection by traditional signature-based anti-virus evasion methods by encrypting malware behind a fake user interface.

The app (com.sdwiurse), poses as the official Google Play Store app, and if downloaded, places a near-mirror icon of the real app on the victim’s home screen.

Once installed, an attacker can siphon the data. Since the app disables the “uninstall” feature, users can’t remove it, though they are tricked into thinking the app has uninstalled itself.

A pop up message reads “Unfortunately, google app stoy has stopped,” and though the app icon disappears, the app continues to run in the backend.

[An earlier version of this story incorrectly stated that the Google Play Stoy app was available in the Google Play Store and had been removed].