It's wise not to enter your credit card details into shady-looking apps and websites if you don't want your details stolen.
But sometimes, not even the apps you know and trust are safe.
A piece of malware detailed in a blog post from security firm Kaspersky is able to quietly steal victims' details when they enter them into apps, as well as spy on their texts and phone calls.
It's called Fakedtoken, and has been evolving over the last year -- growing increasingly sophisticated.
It began as a banking trojan that intercepted texts to steal two-factor authentication codes. Today, Kaspersky's researchers say they suspect it spreads via bulk SMS text message to potential victims, asking them to download some pictures.
If they do -- well, things don't go well for them. Once installed it hides its icon and places a covert overlay over "several banking and miscellaneous applications, such as Android Pay, Google Play Store, and apps for paying for traffic tickets and booking flights, hotel rooms, ans taxis."
If the victim then enters their card details into any of those apps, they fall into the hands of the malware's unidentified operators -- opening them up to the risk of fraud and identify theft.
The malware can even intercept SMS messages, meaning it can get around the two-factor authentication required by some banks to authorise payments and transfers.
The threat of Fakedtoken appears (for now) to be largely limited to Russian and ex-Soviet countries, the researchers wrote: "To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions. According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries."
(Kaspersky was alerted to the latest version "thanks to our colleagues from a large Russian bank.")
But it is nonetheless an example of the crafty and evolving threats facing smartphone users trying to keep their data safe.
Security experts recommend that Android smartphone users should not install apps from third-party sources or download unknown files. By default, Android phones only allow users to install apps from the official Google Play Store.
This post originally appeared on Business Insider.