Google’s monthly patches help keep Android safe from malicious attacks (assuming your phone manufacturer is willing to send updates on time). As long as you’re careful when downloading apps from outside of the Play Store, keeping your device safe is pretty easy these days, even when new attackers try to distribute dangerous viruses. This week, mobile security researchers have discovered spyware that pretends to be a system update, only to take full control of the smartphone after it is installed.

The malware, first discovered by security company Zimperium, is surprisingly sophisticated. After being installed through an app included outside the Play Store, it masks itself using the same notification as a verified update from Google. Once it is active, nothing is safe from your touch: this spyware can view and load messages, contacts, search history, and bookmarks. You can track locations, capture photos with the camera, record phone calls and external audio, and even steal copied content from your clipboard.

It is important to note that the application that included this spyware was never available on the Play Store, so most Android users do not have to worry about losing control of their smartphones. This is also likely a targeted attack, considering how deeply the malware scans a device. Still, it’s as good a reminder as any to keep your phone up to date with verified security patches from Google and download only external APKs that you trust, such as from APK Mirror.