One of the things we always hear from hardcore Android enthusiasts with any new device release is complaints about how much bloatware comes on Samsung phones, especially when Samsung themselves seem keen on duplicating apps for their own purposes. Now we’re seeing the dark side of this, as researchers say Samsung has left millions of customers exposed to hacking through negligence with one of these old apps.

An app called S Suggest used to come installed as default on most Samsung phones. The app was designed to suggest other popular apps to users, but Samsung discontinued it in 2014. That’s where the problems begin, because while Samsung stopped maintaining the app, they didn’t maintain the domain name that controls app content. By letting the app-ssuggest.com domain expire, a security researcher was able to hijack the domain.

This outcome could have been a lot worse had malicious hackers decided to take over the domain instead of a security researcher, since the domain would give them the power to push malicious apps to millions of users who might still be using a device with the S Suggest app on it. Samsung disputes the claim and says despite the domain takeover, hackers wouldn’t be able to install malicious apps.

Despite that claim, the security researcher has revealed that in a 24 hour period, he saw 620 million device check-ins from 2.1 million unique devices, which means there’s still a substantial portion of phones out there using apps that are no longer reported. S Suggest’s permissions include the ability to reboot the phone remotely and install apps or packages.