Google’s monthly patches help keep Android safe from malicious attacks (assuming your phone’s manufacturer is willing to ship updates on time). So long as you’re careful when downloading apps from outside the Play Store, keeping your device secure is pretty easy these days, even as new attackers try to distribute dangerous viruses. This week, mobile security researchers have discovered spyware that pretends to be a system update, only to take total control of the smartphone after being installed.

The malware, first found by security firm Zimperium, is surprisingly sophisticated. After being installed via a bundled app outside of the Play Store, it masks itself using the same notification as a verified update from Google. Once it’s active, nothing is safe from its touch: This spyware can view and upload messages, contacts, search history, and bookmarks. It can track locations, capture photos using the camera, record both phone calls and external audio, and even steal copied content from your clipboard.

It’s important to note that the app that included this spyware was never available in the Play Store, so most Android users don’t have to worry about losing control of their smartphones. It’s also likely this was a targeted attack, considering how thoroughly the malware scans a device. Still, it’s as good a reminder as any to keep your phone up to date with verified security patches from Google and to only download external APKs that you trust — like, say, from APK Mirror.