In the past year, a similar threat has begun to emerge on mobile devices: So-called overlay malware that impersonates login pages from popular apps and websites as users launch the apps, enticing them to enter their credentials to banking, social networking, and other services, which are then sent on to attackers.

Such malware has even found its way onto Google’s AdSense network, according to a report on Monday from Moscow-based security firm Kaspersky Lab. The weapon would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements. It then prompts users for administrative rights, which makes it harder for antivirus software or the user to remove it, and proceeds to steal credentials through fake login screens, and by intercepting, deleting, and sending text messages. The Kaspersky researchers call it “a gratuitous act of violence against Android users.”

Overlay malware screenshots via Security Week

“By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q,” according to the company. “There you are, minding your own business, reading the news and BOOM!—no additional clicks or following links required.”

The issue has since been resolved, a Google spokeswoman said in an email, adding that there’s no indication the attack ever affected more than one website. The company has said in the past that it works to block malware attacks from third-party ads distributed through its networks. The effort has become increasingly critical as Google and other advertising networks try to dissuade users from filtering out ads altogether with adblocking tools, which also aim to reduce ad-delivered malware and the web beacons used to track users across websites.

Researchers from Kaspersky have reported a 15.6% increase in the number of financial malware in the second quarter of 2016, compared to the previous quarter, as well as a continuing .

The creators of such malware can charge would-be fraudsters thousands of dollars on underground hacking marketplaces for mobile malware tools that deploy such bogus login pages, often in conjunction with other features like the ability to intercept SMS messages, according to research by Limor Kessem, an executive security advisor at IBM Security.