Google’s monthly updates protect Android from malicious attacks (provided the manufacturer of your phone is willing to send updates on time). As long as you are careful when downloading apps from outside the Play Store, it is quite easy to keep your device these days, even if new attackers try to distribute dangerous viruses. This week, mobile security researchers discovered spyware that pretends to be a system update, only to take total control of the smartphone after installation.

Malware, first discovered by security firm Zimperium, is surprisingly sophisticated. After being installed via an included app outside the Play Store, it masks itself with the same notice as a confirmed update from Google. When active, nothing is safe from touch: This spyware can view and upload messages, contacts, search history, and bookmarks. It can track locations, take pictures with the camera, record both phone calls and external audio, and even steal copied content from the clipboard.

It is important to note that the app that included this spyware was never available in the Play Store, so most Android users do not have to worry about losing control of their smartphones. It is also likely that this was a targeted attack, given how thoroughly malicious software scans a device. Still, it’s as good a reminder as keeping your phone up to date with confirmed security updates from Google and only downloading external APKs that you trust – such as from the APK Mirror.