Malware virus has been disguised on Android mobile apps, including Netflix, WhatsApp and Super Mario Run.

One of these botnets, which mainly targets the customers of banks in Germany, Austria and France, has infected more than 11,000 devices, including 5.700 in Germany and 2,200 in France. The attackers’ C&C server stored 1,300 payment card numbers and other banking information. Researchers determined that a majority of the infected devices had been running Android 6.0.1, but the list of victims also included more than 100 Android 7.0 devices.

The applications launched by the victim, and when one of the targeted apps is detected, an overlay screen is displayed in an effort to trick the user into handing over sensitive information.

The Trojan had been blocking eight antiviruses, but Securify’s report shows that the malware currently targets nearly two dozen products.