Researchers have discovered seemingly harmless apps sitting in the Google Play store that were actually malware stealing banking credentials. According to Google, these malicious apps have been removed now.

These 12 apps disguised as QR scanners, PDF scanners, and cryptocurrency wallets were downloaded more than 300,000 times, according to an Ars Technica report.

Mobile security researchers at ThreatFabric after further investigation found that this spyware stole people’s banking passwords and two-factor authentication codes. They later added that the malware also logged keystrokes and took screenshots of people’s smartphones.

These apps used several modern tricks to bypass Google’s firewall restrictions by first presenting users with a seemingly legitimate app that initially tested negative for malware. The apps functioned just as advertised when people first downloaded them.

Once the apps were installed, though, they asked to be updated via third-party sources but, by then, many users had come to trust them. That’s when the malware was installed in the form of a Trojan horse, a type of malware characterized by its seemingly harmless appearance.

The malware family responsible for the largest number of such infectious apps is known as Anatsa. This is a rather advanced Android banking trojan that scams the user in a variety of ways, including remote access and automatic transfer systems, which automatically empties the victim’s accounts and transfers the amounts to the accounts belonging to the hijacker’s.