Transcript for How to protect yourself from downloading fake apps
Okay, we're back with a "Gma" investigation about scammers possibly targeting holiday shoppers. A recent study says 40% of Americans have been victims of what's called online phishing and that's not all you need to worry about as shopping continues to go high tech these days. ABC's gio Benitez is here with the story. Hey, gio. Reporter: Good morning. Adobe an lit seconds estimates 54% of all visits to shopping sites will come from smartphones and tablets. That's why our warning about fake malicious apps is so important to revisit. There are nearly 3.4 million at any time hackers can use to see what you're doing on your phone. As you're about to see, the risk is very real. We're inside a coffee shop in Washington, D.C. With a group of young people who have no idea that some of them are about to be hacked. Here we go. Here's why. Just this September, a massive breach made headlines. One of the biggest outbreaks ever. Reporter: Hackers somehow introduced 50 malicious apps also known as doppelgangers, fake apps that mirror the reel thing into the Google play store and millions of unsuspecting android users downloaded the bad app, a total of 4.2 million times. One of those disguised as a seemingly simple app called lovely wallpaper. You don't realize it's a fake. So if you download a nasty version of minecraft, for example, you actually seem to get minecraft and it seems to work but in the background the attackers are able to access your information. Reporter: James Lyne is a security adviser at sophos and gave phones to our volunteers as part of our demonstration. We told them to use the phones as they normally would. What they don't know, James already installed a malicious app on the phones. Now watch with the group sitting in another part of the coffee shop? We can retrieve their text messages. There it is. Say, it's me. Stunning. There's a little emoji. Next James triggers one of their cameras. He's going to have no idea the camera is just activated and there's a photo of one of our users. Hi, guys. It turns out every one of our volunteers had signed in to their social media accounts. Did anyone notice anything strange happening on your phones? Not realizing James had stolen all of their passwords. The person who should have noticed something going on was you. Oh, did you take that of me while I was on my phone? While you were on the phone. This is the selfie cam. That's scary. Reporter: We decided to upantampa E with one of the students taking him outside. He had no idea that inside the coffee shop -- I'm tracking him now and can see where he is. Reporter: -- James was live streeping his camera and pinpointing his location. He has access right now to this. James can even control his text messages. What is this? Hey, can you send me your password? I didn't text that. You didn't? No. But it says you did. James says someone doesn't even have to be on their phone to be hacked. Even when you weren't using the phone we still got a picture of you. Oh, what? How? So the phone was just sitting there on the table looking right up at you. Reporter: Experts say the danger is far greater than just a stolen selfie. Once the cybercriminal is into your phone they can access your user anyways and password, credit cards. Basically to be able to profit from your device without you knowing. Unbelievable. Google tells us it's been tracking this maltware for months and constantly removing bad apps from the play store and added to its review procedures but the company relies on the community of users and developers to catch these bad apps. I know we've traumatized Paula. I'm almost speechless. By the way, let me turn your camera down. Wait. Wait. There we go. Next time I send a dumb text to my wife I'm going to say I got hacked. Let me ask what can we do to protect ourselves change your password? That's important but not enough. If you've been hacked you need to delete the app. You need to restore your phone. You need to just wipe it entirely and you really need to look for who these developers are. Research them and make sure you're downloading from a trusted developer. Gio, thanks for the wake-up call. We appreciate it. Just a little disturbing on this Black Friday, gio.
This transcript has been automatically generated and may not be 100% accurate.