Google's Android mobile operating system has been hit by its first text-based Trojan, according to security firm Kaspersky Labs.
The malicious software, called Trojan-SMS.AndroidOS.FakePlayer.a, has hit a number of mobile devices, the company said.
The Trojan poses as a harmless media player application. Users are prompted to install a file of just over 13Kbytes with the standard Android extension .apk.
Once installed, it sends text messages to premium rate numbers controlled by cyber criminals, who collect all the payments made from victims' accounts.
The Trojan-SMS category is currently the most widespread class of malware for mobile phones, but Trojan-SMS.AndroidOS.FakePlayer.a is the first to specifically target the Android platform, Kaspersky said.
But it is not the first case of Android devices becoming infected, with the first Android spyware appearing in "isolated" cases in 2009, the security firm said.
IDC and other market research companies have noted Android-based devices are experiencing the highest growth in sales among smartphone manufacturers.
"As a result, we can expect to see a corresponding rise in the amount of malware targeting that platform," said Denis Maslennikov, mobile research group manager at Kaspersky.
Kaspersky Lab plans to release software aimed at protecting the Android operating system in early 2011, he said.
Kaspersky Lab recommends that users pay close attention to the services that an application requests access to when it is being installed, especially access to premium rate services that charge to send text messages and make calls.
When a user agrees to these functions during the installation of an application, the smartphone may then be able to make calls and send text messages without further authorisation, the firm warned.
But Google claims Android’s application permissions model protects against this type of threat.
“When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a user's phone number or sending a text message,” a Google spokesperson said.
Users must explicitly approve this access to continue with the installation, and they may uninstall applications at any time.
“We consistently advise users to only install apps they trust.
"In particular, users should exercise caution when installing applications outside of Android Market,” the spokesperson said.