By now we’re all familiar with the upsides and downsides to the Google Play store’s approach to vetting apps: The upside is that it’s incredibly easy for new apps to get posted on the store. The downside is that it’s incredibly easy for shady mobile apps to get posted on the store. Technology Review points us to a new study from the Institut Eurécom that shows us how shady Android apps might be even shadier than we ever imagined.

DON’T MISS: The funniest thing you’ll see today: Kids react to the Apple Watch

According to Technology Review, researchers Luigi Vigneri and colleagues have devised a way to tell what websites different Android apps connecting to on a regular basis. They decided to test out their technology by installing over 2,000 free Android apps onto phones that spanned all 25 app categories in the Google Play store.

They discovered that “the apps connect to a mind-boggling 250,000 different urls across almost 2,000 top level domains” and that “while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific.” Even worse, they found that “a small proportion of the apps even seem designed to connect to suspicious sites connected with malware.”

The good news is Vigneri and his team are working on an app of their own called NoSuchApp that will soon be available on Google Play to help users find out which websites their mobile apps are communicating with.

To read Institut Eurécom’s study on Android apps, check out the full PDF here.