The malware can record calls, take photos, and perform a variety of invasive actions.

Before you approve what appears to be a new Android update, you may want to verify that you’re installing the real thing.

According to mobile security firm Zimperium zLabs, a new form of malware disguised as a system update is making the rounds on Android devices. Instead of actually upgrading users to a new version of the operating system, the malware commandeers the phone to take advantage of several functions. It lets bad actors record audio, phone calls, take photos, access messages within third-party messengers like WhatsApp, and even search for specific file types present on the phone.

This invasive “app” is considered a “sophisticated spyware campaign with complex capabilities,” according to zLabs researchers. After installation, the device becomes registered with the Firebase Command and Control (C&C) and reports information about WhatsApp, storage information, the internet connection, and a swath of other details.

Triggering the spyware comes in different ways: installing a new app, receiving a text, or even adding a new contact. From there, call recording can begin if calls are made or received. Messages can be logged. It’s a whole suite of bad news, especially when users have no idea it’s all taking place.