Android users, beware: Security researchers have discovered a new type of trojanized adware targeting devices running Google's mobile operating system.

Mobile security company Lookout this week said it has detected more than 20,000 samples of malware masquerading as legitimate apps like Candy Crush, Facebook, Google Now, NYTimes, Snapchat, Twitter, WhatsApp, and even the two-factor authentication app Okta. The malicious apps, which are being distributed via third-party app stores, function just like normal, with one major difference—they contain malicious code that roots the device.

As soon as you install one of these malicious apps, the malware automatically roots your device, embeds itself as a system application, and becomes "nearly impossible" to remove, Lookout said.

"Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated," Lookout wrote in a blog post Wednesday. "This is a new trend for adware and an alarming one at that."

Chances are, if your device has been infected, you won't even be able to tell. This new auto-rooting adware silently works in the background, unlike varieties in the past that were obvious, constantly prompting you with obnoxious uninstall messages. And the fact that this malware roots your device makes it extra nefarious.

"The act of rooting the device… creates additional security risk," Lookout said. "Usually applications are not allowed to access the files created by other applications, however with root access, those limitation[s] are easily bypassed."

Lookout has discovered three interconnected families of trojanized adware — dubbed Shuanet, Kemoge (or ShiftyBug), and Shedun (aka GhostPush) — responsible for more than 20,000 malicious apps. The researchers believe these apps were created by three different authors or groups, who "have at least heard of each other" and leveraged each other's work. Some variants they discovered have 71 to 82 percent code similarity.

"Getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone," Lookout said. Worse yet, the company expects this class of torjanized adware to become more popular among cybercriminals and "continue gaining sophistication over time."

As usual, this is another reminder to avoid suspicious third-party apps and app stores.

Further Reading