Nearly 30 banking trojans were removed from the Google Play Store but not before being downloaded by nearly 30,000 users.

ESET researchers spotted 29 malicious apps masquerading as device boosters, cleaners, battery managers, horoscope-themed apps and after installed, could dynamically impersonate any app installed on the victim’s device and target the user with custom phishing attacks, according to an Oct. 24 blog post.

The malicious apps were active between August 2018 and early October 2018 and notably had the capability to intercept and redirect text messages to bypass SMS-based two-factor-authentication, intercept call logs, and download and install other apps on the compromised device.

Once downloaded the apps would either display an error message claiming the app was incompatible with the user’s device and had been removed or it would display the promised function but in either scenario would operate maliciously in the background.

The malicious apps were described as sophisticated mobile banking malware with complex functionality with a heavy focus on stealth as they were uploaded mostly under different developer names and guises but had similarities in code and shared a command and control server suggesting the apps are all from the same threat group.

Google has since removed the apps and recommends users avoid third-party app stores, check the number of downloads and content reviews, and pay attention to permissions granted to apps.