The Google Play app store has a reputation as the safest place online to get Android apps, and Google does a good job of advising users to limit exposure to malware and other risks by configuring their phones to forbid side-loading and alternative app markets in the Android Settings.

We’ve encountered several apps in the past, however, that manage to gain access to this walled garden. The latest of these discoveries is a set of apps that has managed to reappear in the Play store even after we alerted Google and the original app was removed. The same code was published on Google Play with a slightly different name under a new publisher.

This malware (Android.Reputation.1) appears on the Play Store hidden in at least seven apps in the U.S. offering fun, useful, and sometimes insidious features. These include emoji keyboard additions, space cleaners, calculators, app lockers, and call recorders. None of the samples we analyzed actually functioned as advertised on their Google Play pages. Once the app is installed, it takes various measures to stay on the device, disappear, and erase its tracks.

All of these apps have the same set of tricks designed to take advantage of the device user, including:

1) Waiting before undertaking the scam. The malware is configured to wait for four hours before launching its malicious activity, so as not to arouse user suspicion straight away. If the user isn’t tipped off right after app installation, they’re less likely to attribute strange behavior to the true culprit.