According to Kervin Alintanahin of Trend Micro's Asia-Pac research team, the trojanised Android app - GoldDream - has been disguised as a racing game called `Fast Racing.'
Whilst the infection is difficult to spot until it is too late, the analyst says that the `game' requires a lot more permissions than is normal for a racing game app.
When the infected device boots, he says, the malware starts a service called Market, probably a trick that the malware writer created to make the user think it is harmless.
"Like previously found Android malware, this monitors affected users' incoming text messages. Once a message is received, it will record content and sender information, then copies this to a .TXT file called zjsms.txt. Logs of incoming and outgoing calls are also kept and saved as zjphonecall.txt", he says in a security posting.
The malware, he adds, is also capable of communicating with a remote command-and-control (C&C) server, which is currently located at http://{BLOCKED}r.gicp.net.
Unlike previously detected Android malware, which used hard-coded server URLs, Alintanahin connects to alternative servers if instructed by its current C&C server. It can also, he notes, update itself, which may be an attempt to evade detection and removal.
Unusually, the malware can still `call home' even if access to the relevant C&C server(s) is blocked, dumping data that includes the IMEI and IMSI of the smartphone or tablet where appropriate, along with the above-mentioned files.
As previously reported by Infosecurity, the IMEI/IMSI pair - in the right hands - can be used to make fraudulent cellular calls billed to the legitimate owner's account.
Equally interestingly from a security perspective, the Trend analyst says that the malware can also accept uploaded files from remote servers, suggesting that the malware may even be modifiable, as is the case with SpyEye and Zeus for the Windows platform.
As Alintanahin observes: "It appears that Android malware writers have added new features that used to be only common in the desktop environment to their mobile threats."