Suspicious code is lurking in a repackaged Chinese version of a tool Google released last weekend to remotely clean malicious apps off Android phones, Symantec said today.
This "trojanized" package was found on an unregulated third-party Chinese marketplace and not on the official Android Market, Symantec said in a blog post.
After 58 malicious apps were found on the Android Market last week and downloaded onto about 260,000 devices, Googleand then too.
Now, Symantec says someone appears to have taken the "Android Market Security Tool" used to clean up the devices infected with the malware, repackaged it and inserted code in it that seems to be able to send SMS messages if instructed by a command-and-control server.
It also looks like the code used in the new threat is based on a project hosted on Google Code and licensed under the Apache License, according to Symantec.
A Google spokesman provided this statement when asked for comment: "We encourage Android users to only install applications from sources they trust."
Several things should raise red flags for people with this threat -- it's not on the official, trusted Android Market and it requires a user to install it whereas the Google tool used an automatic push function to distribute the legitimate app.
The initial malware found on the Android Market, dubbed "DroidDream," not only could capture user and product information from a device but also had the ability to download more code capable of further damage.
"We have added detection for the trojanized version of Google's application as Android.Bgserv," Symantec said.
Meanwhile, a Kaspersky researcher has questioned the efficacy and methods of Google's Android security tool itself.