An Android app masquerading as a guide for Pokemon GO players is rooting devices and secretly installing adware and unwanted apps on the user's smartphone.

The app, named Guide for Pokémon Go, made its way onto the official Google Play Store, from where over 500,000 users downloaded and installed it on their smartphones.

Kaspersky says that telemetry data received from its security products found that at least 6,000 users had their phones rooted and under the malware author's control.

Trojan hit the Play store before

Further research also revealed that another version of this app was updated to the Play Store in July, but was later removed. The same trojan packed inside the Guide for Pokémon Go app was found in nine other apps, uploaded at different times and under different names on the official Play Store.

The crook behind this trojan is obviously riding various popularity waves, packing his malware in clones (side apps) for whatever app or game is popular at one particular point in time.

Kaspersky says that most of these nine additional apps were installed no more than 10,000 times, but one app managed to get over 100,000 downloads.

The trojan is the work of an experienced malware coder

According to a technical analysis of the trojan, detected by Kaspersky under the generic name of HEUR:Trojan.AndroidOS.Ztorg.ad, this Android malware is extremely advanced, with several layers of defenses that make reverse engineering very difficult.

Researchers say the app uses a commercial packer, an application designed to scramble and hide code to prevent analysis by security researchers.

Furthermore, after infecting a device, the trojan doesn't immediately ping back its creators. The malware waits for the user to perform actions such as installing or uninstalling another app. This way, the trojan knows it's not running on a virtual machine or emulator, and can reveal its malicious behavior only if it's sure it infected a device used by a real person.

One of the sneakiest trojans to date

But the sneaking around isn't done yet. The trojan still waits two hours after ruling that this is a real device before contacting its C&C server.

When this happens, the trojan sends device details, to register a new victim, and then waits for commands. It doesn't execute any action until the server responds twice to a request for instructions. Yet again, this is an anti-analysis technique, to fool security researchers.

Once the crook behind the C&C server decides to take action, it sends a JSON file with multiple links, which the trojan follows and downloads several files on the infected device.

Trojan downloads exploits and roots the device

These files contain various Android exploits capable of rooting the device, granting the attacker system-level access to the smartphone.

The exploits leverage various vulnerabilities disclosed between 2012 and 2015 to root the device, including an exploit included in the HackingTeam data dump.

"Victims of this Trojan may, at least at first, not even notice the increase in annoying and disruptive advertising, but the long term implications of infection could be far more sinister," says Roman Unuchek, Senior Malware Analyst, Kaspersky Lab.

"Even though the app has now been removed from the store, there’s up to half a million people out there vulnerable to infection - and we hope this announcement will alert them to the need to take action," Unuchek also adds.