Dubbed "Samsapo," the malware can also extract information (phone numbers, text messages) from the infected device and send it to a remote server, can download additional malicious files from predefined URLs, and can block phone calls and change alarm settings.
The Trojan is difficult to spot - its package is named in a way to make it seem that the software is a system utility app and, once installed, it does not show an icon, and doesn't have a GUI that the user can access by accident.
The method it uses for spreading is still very unusual for Android malware, and takes a leaf from the playbook of Windows-oriented malware peddlers: users get infected when they receive an SMS (apparently sent by a known contact) that says (in Russian): "Is this your photo?" and they download the linked-to malicious APK package.
Once on the target device, the malware continues the infection cycle by sending out the same message to the people whose contact details are stored on it.
"The attacker’s domain that serves as a drop-zone for the Android malware was registered on April 24, 2014," shared ESET researcher Robert Lipovsky. Currently only Russian users are targeted, but this malware has the potential to spread far and wide with only a few tweaks.
Luckily, users can protect themselves from it and from other Android malware by being careful what links they follow and what apps they download, and also by restricting the installation of apps from unknown sources.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.