Security researchers at Lookout found three new families of “auto-rooting adware” for Android. Each one can root the device and install itself as a system application. The infections are designed to survive even a “factory data reset”.

Lookout found over 20,000 popular apps infected, and some of these apps appear to be legitimate, having titles ranging from Candy Crush to Facebook to Snapchat, WhatsApp, The New York Times and even Google Now.

The three malware famalies are named Shedun, Shuanet and ShiftyBug. Even though they seem to be closely related they have seperate authors. The malware utilizes “publicly available exploits that perform the rooting function” and “authors used the same pieces of code to build their versions of the auto-rooting adware,” the researchers said.

Since Shedun, Shuanet and ShiftyBug root the Android system and install themselves as system application you may need to replace your smart phone if infected.

The discovered app infections were concentrated in United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico and Indonesia.