Kaspersky Lab says it has identified the first SMS Trojan that specifically targets Android smartphones, although the application it piggybacks on isn't listed on the Android Market and appears to only be affecting users in Russia.
The malware, which Kaspersky has named Trojan-SMS.AndroidOS.FakePlayer.a, has already found its way onto "a number of mobile devices", Kaspersky said in a blog post earlier this week.
The Trojan disguises itself in a 13-KB application called Movie Player, which is available through a malicious Website and has the standard Android extension .APK. Once installed on the device, the Trojan begins sending SMS messages to premium rate numbers without the owner's knowledge, in some cases racking up fees of several dollars per message.
However, so far the Trojan appears to have only infected users in Russia and it only operates on Russian cellular networks, the mobile security firm Lookout said in a Wednesday blog post.
Although Android devices have been hit with spyware in the past, this is the first SMS Trojan that focuses on Android devices, according to Kaspersky Lab. The Moscow-based firm says it's "actively developing technologies and solutions" for Android and will release its Kaspersky Mobile Security for Android product early next year.
To prevent infection, users should pay close attention to the services an Android application requests access to when it is being installed, Kaspersky warned.
Lookout says this is an example of why users need to keep close watch on what files they're downloading. "This Movie Player app directly lists permissions to access 'Services that cost you money' before you install," Lookout said in a blog post.
Google, in a statement sent to media outlets, warned users of the perils of downloading unsanctioned Android apps. "We consistently advise users to only install apps they trust. In particular, users should exercise caution when installing applications outside of Android Market," Google said in the statement.
McAfee, however, is downplaying the severity of the threat, noting that SMS and premium call-related Trojans have been around for years on both mobile devices and PCs.
"This isn’t a new trick, it is an old trick on a new platform, said Jan Volzke, head of Mobile Products and Marketing at McAfee, in a Wednesday blog post. "We categorize this as low risk for both consumer and corporate users because distribution is limited."