Around 300 apps have been withdrawn from Google’s Play Store after they were found to be secretly hijacking Android devices to supply traffic for wide-scale distributed denial of service (DDoS) attacks, as noted by Gizmodo. Google removed apps that offered services like ringtones and storage managers after security researchers uncovered the “WireX” botnet was behind the ploy. Malware was hidden inside the affected apps, and as long as the device remained switched on it was used in DDoS attacks.

Researchers at cloud services provider Akamai discovered WireX after a hospitality company suffered from a DDoS attack involving hundreds of thousands of IP addresses. DDoS attacks work by overwhelming a target with large amounts of data from multiple IP addresses, and they’re effective at taking down websites and services that can’t cope with a data influx. Google said in a statement it’s currently in the process of removing the malicious apps from affected devices, and some researchers say up to 70,000 devices in 100 countries could be compromised. Some of the WireX attacks also asked for ransom fees.

“Something malicious, possibly running on top of the Android operating system.”

Researchers from Akami, Cloudflare, Flashpoint, Google, Team Cymru, and others are working together to combat the botnet, which came to their attention on August 17. “Once the larger collaborative effort began, the investigation began to unfold rapidly starting with the investigation of historic log information, which revealed a connection between the attacking IPs and something malicious, possibly running on top of the Android operating system,” the researchers wrote in a joint blog post.

The researchers say organizations should share detailed metrics about DDoS attacks, in an effort to combat and learn more about them. Google is using machine learning to fight problem apps, and in May published a report showing some of its aggressive moves against malicious apps like better patching schedules is starting to pay off.