Tens of millions of Android devices have been infected with malicious code security experts have dubbed 'Agent Smith', after the character from the film The Matrix.
Researchers from cybersecurity firm Check Point say so far Agent Smith has only been used to show victims unwanted adverts, but it's capable of much worse.
"Agent Smith currently uses its broad access to the device's resources to show fraudulent ads for financial gain," the firm said.
"However, it could easily be used for far more intrusive and harmful purposes such as banking credential theft. Indeed, due to its ability to hide its icon from the launcher and impersonates any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user's device."
Agent Smith was first spotted earlier this year in a wave of attacks in India, and researchers soon realised it was an all-new threat.
Devices are infected when users install a game or other app with the malicious code. Agent Smith looks at what other apps on the device then replaces them with its own version, without the user realising. Apps its capable of cloning include messaging service WhatsApp, browser Opera and keyboard Swiftkey.
"It's not enough for this malware family to swap just one innocent application with an infected double. It does so for each and every app on the device as long as the package names are on its prey list."
It's estimated each infected device has an average of around 112 'swaps'.
"The primary targets, so far, are based in India though other Asian countries such as Pakistan and Bangladesh are also affected," Check Point said.
That's mainly because the malicious code is easier to spread through third-party stores popular in Asian countries. But Check Point also found 11 apps on the official Google Play Store carrying the bug, with a few hundred thousand devices in the UK and US infected. They've since been removed.
- Fake fingerprints can probably unlock your phone - researchers
- The cyber threats to watch out for in 2019
Experts say users might not be too worried if they think showing ads is all Agent Smith does, but they should be.
"We've seen malicious ads that can install apps when you browse to a webpage from your Android device," Dustin Childs, spokesperson for cybersecurity company Trend Micro, told The Mercury News.
"They could be installing ransomware, they could be copying your contacts," he said,recommending users install ad blockers where possible.
"Ad blockers aren't just to block ads."
Newer versions of Android have patched the vulnerability Agent Smith uses to hack people's phones, but not every manufacturer sends out regular updates, nor do users always update to the latest versions available.
"Google is very good about releasing fixes for the vulnerabilities they know about, but getting it to all the devices is a very difficult problem," said Childs.
A map of infections worldwide had New Zealand in grey, suggesting minimal or no infections - yet.