Security researchers say APKPure, a widely popular app for installing older or discontinued Android apps from outside of Google’s app store, contained malicious adware that flooded the victim’s device with unwanted ads.

The most recent app version, 3.17.18, contained malicious code that siphoned off data from a victim’s device without their knowledge, and pushed ads to the device’s lock screen and in the background to generate fraudulent revenue for the adware operators. This malicious code capable of downloading other malware pieces.

APKPure developers likely introduced the malicious code, known as SDK, from an unverified source. APKPure removed the malicious code and pushed out a new version, 3.17.19, and the developers no longer list the malicious version on its site.

APKPure was set up in 2014 to allow Android users access to a vast bank of Android apps and games, including old versions, as well as app versions from other regions that are no longer on Android’s official app store Google Play. Later has its own software outside play store

APKPure is ranked as one of the most popular sites on the internet.Security experts have long warned against installing apps outside of the official app stores as quality and security vary wildly as much of the Android malware requires victims to install malicious apps from outside the app store. Google scans all Android apps that make it into Google Play, but some have slipped through the cracks before.