(Chris Ratcliffe / Bloomberg)

New strains of Android malware are masquerading as popular apps like "Candy Crush" and Snapchat, but once installed dig themselves so deeply into smartphones they are "nearly impossible" to remove,and could force people to replace their devices, according to cybersecurity firm Lookout.

The company says it observed over 20,000 samples of this type of adware in the digital wild. Some of the malicious apps functioned like their real counterparts, but they all also quietly gain "root access" to a device and install themselves as system applications. That means they have practically unlimited access to files on the device -- a big security and privacy risk. That's why it is so difficult to totally remove the apps.

But, luckily, there is a pretty easy way to avoid them: Only install apps from Google's official Play Store.

"Malicious actors behind these families repackage and inject malicious code into thousands of popular applications found in Google Play, and then later publish them to third-party app stores," Lookout noted in a blog post about the malware. That means the victims here were people who went outside of Google's official channels to install the imposter apps.

Some users turn to such markets to take advantage of offers of free or discounted apps, or find apps that don't make the cut in official market places -- sometimes because they rely on pirated material or are hyper-localized to a specific geographic market.

Google did not immediately respond to a request for comment on this story, but the company has long tried to limit suspicious apps in the Google Play store by scanning the market for signs of malware. It hasn't always been 100 percent successful in those efforts, nor has Apple, its main competitor in the mobile operating systems market.

But security experts generally agree that consumers are much safer sticking to the official market places rather than downloading apps from third-party alternatives -- where these new strains appear to have lurked.