Google has pulled an app that was downloaded more than half a million times from the Play Store because it was infected with malware.
Color Message, an app designed to allow users to personalise their default SMS messenger with colours and other styles, contained the Joker malware which can subscribe people to premium paid services without their knowledge.
It is also able to access one-time passwords (OTPs) from text messages to be able to approve those payments. Users often only find out about the malware when they see unknown charges on bank statements.
The malware was identified by cybersecurity researchers at Pradeo who said the app appeared to be connecting to servers based in Russia.
Apps that contain Joker can be difficult to detect and uninstall. Color Message, like others before it, had the capability to hide its icon once installed.
Color Message also uploaded the contact information of those infected, according to Pradeo.
"By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect," Pradeo's Roxane Suau said.
This meant it was able to pass any of Google's checks prior to going live on the Play Store.
Before the app was taken down, some users had identified it had cost them money and had posted negative reviews.
Checking reviews before installing an app is one way users can potentially avoid installing one containing malware.
Anyone who has installed Color Message is urged to delete it from their devices as soon as possible.