Android handsets hit by first SMS Trojan app

The first SMS Trojan targeting the Android smartphone operating system has been discovered by Kaspersky Labs.

The malicious app has been designed to stealthily send premium-rate text messages without user consent to a shortcode number that costs the victim $5 (£3.19) per text, according to security expert Ram Herkanaidu at Kaspersky.

According to Herkanaidu, Trojan-SMS.AndroidOS.FakePlayer.a was found disguised as a media player application but was not available from inside the Google Market.

Unlike Apple's iPhone, Android handsets can install apps from anywhere on the web. However, in order to install third-party apps from 'unknown sources', the user must explicitly allow the operation from within the phone's settings, Herkanaidu said. He added that the app has therefore had very little impact in terms of infection, with only "a handful" of Android owners affected.

The rogue app was discovered in Russia and poses little direct threat to UK Android owners, Herkanaidu said, but he warned ZDNet UK that "Android is really taking off", and Kaspersky sees the malware as "an indication of what will come in the future".

The company said that, in order to protect themselves, customers should pay close attention to the list of permissions being granted when installing apps, particularly those downloaded from outside of the Android Market.

In July, the security firm NetQin reported that Symbian S60 owners were being targeted by botnet-building viruses that propagated by sending text messages containing links to malicious websites to a user's entire phone contact list.

At the time, NetQin estimated that 100,000 handsets had been infected, but Craig Heath, chief security technologist at the Symbian Foundation, said that the threat was "very minor" in comparison to those affecting desktop PCs.