An Android Trojan has been discovered that can record the outgoing telephone calls of infected users and sends them to remote servers.
The Trojan was revealed by researchers at CA Technologies on Monday, partly as a warning to people who do not check which system access permissions are needed for an app before installing it.
Malware researcher Dinesh Venkatesan wrote in a blog post that, while previous Trojans have been observed logging details of calls and call duration, this was the first he had seen that could actually record the conversation itself. It does this in the speech-optimised .amr format.
"It is always recommended to have a logical decision making before allowing an app to have certain permissions," Venkatesan wrote, pointing out how the app actually tells the user before installation that it will "record audio" and "intercept outgoing calls".
Once in action, the Trojan records the call in a directory called shangzhou/callrecord on the phone's microSD card.
The threat of mobile malware used to be minimal, but the rapid spread of commonly-used platforms, particularly the hugely successful Android, has meant there are enough networked users on a single platform to make malware for such systems viable.
"As it is already widely acknowledged that this year is the year of mobile malware, we advise the smartphone users to be more logical and exercise the basic security principles while surfing and installing any applications," Venkatesan said.