An estimated 600,000 Android devices have been infected by malware hidden in guides for popular mobile games and may be used to create a botnet to generate ad revenue for the attackers, security researchers at Check Point said.

A report published Monday by the cybersecurity firm revealed the attack, dubbed FalseGuide, which has managed to upload malicious code into a number of apps that were available through the Google Play Store, Google’s official marketplace for apps.

Read: Gooligan, Google Malware: One Million Android Devices And Counting Infected

Check Point said the oldest instance of FalseGuide was found uploaded to the Google Play Store on Feb. 17. In a matter of just over two months, the malware has found its way onto more than 600,000 devices.

The malware was spread through a number of apps that presented themselves as guides for popular mobile games, including Pokémon Go, FIFA, World of Tanks and a number of LEGO titles. Some of the individual guides reached as many as 50,000 installs.

Check Point alerted Google about the issue and said the company promptly removed the infected apps from the Google Play Store. Another round of apps containing the FalseGuide attack appeared in April and were quickly squashed.

Read: 36 Android Devices Come With Malware Preinstalled

The FalseGuide malware attempted to turn infected phones into a makeshift botnet that allowed the attackers to control the devices without the knowledge of the device owners.

FalseGuide would request administrative permissions to the device, then would register itself with Firebase Cloud Messaging, a messaging service that allows developers to send notifications and messages. From there, the attacker could send malware that would be installed on the infected device.

That malware would be used to display illegitimate advertisements that would generate revenue for the attackers. The attackers could also inject highly malicious code into an infected phone to root the device, conduct a DDoS attack or penetrate private networks.

Check Point has provided a full list of malicious apps, which Android users may want to reference. Despite the apps being pulled from the Google Play Store, they are likely still active on devices, leaving users still prone to attack.