Symantec found the “trojanised” package on an unregulated third-party Chinese marketplace.
The technique of trojanising legitimate software is becoming the attack vector of choice for many hackers.
More than 58 malicious apps were found on the Android Market last week and downloaded onto about 260,000 devices. Google used its remote kill switch to wipe them from Android phones.
The repackaged version of the “Android Market Security Tool” can send SMS messages if instructed by a command-and-control server.
To add insult to injury, the code used in the new threat is based on a project hosted on Google Code and licensed under the Apache License, according to Symantec.
Of course the answer is to only download your Android software from a trusted source. Although the fact that 58 dodgy ones ended up in the official Android Marketplace did not bode well. At least from there, it can be remotely deleted.