Google yesterday admitted that up to 260,000 smartphones have been hacked after handset users unwittingly downloaded virus-infected apps.
The threat came to light last week when the technology giant was forced to withdraw at least 50 apps from its official Android Market.
Google operated a ‘killswitch’ and remotely removed all of the affected apps from peoples’ phones.
The firm has now sent text messages warning those affected that the malicious applications could access their personal information and take control of their handset.
Studies have found that the dodgy applications were downloaded after they had been repackaged with a code that corrupted them.
Google Android is an open-source software stack for mobile devices that includes an operating system, middleware and key applications.
The deadly apps were simply copies of existing programs which had malware DroidDream found in them, and were swiftly taken off the site and recalled – but not before affecting hundreds of thousands of users.
DroidDream fires sensitive data, such as a phone’s unique ID number, to a remote server.
In addition the malware will check if the phone has been infected already. If it hasn’t the program bypasses security controls and hands its creator access to the handset.
This means that the user can access information, including passwords for other personal things.
Security expert Mikko Hypponen said the incident is embarrassing for Google because it shows the firm hasn’t fully tested the safety of its apps.
‘I do think Android phones are more vulnerable than any of the other major smartphones out there at the moment,’ he told Metro.
A Reddit user first noticed the problem late last week after one program, which teaches people how to play a guitar on their mobile handset, was titled under the name of a publisher who didn’t write it.
‘Lompolo’ discovered that the application was a carbon-copy of the original, however it had a name change and virus code added to is.
The user had worked out that the corrupted application had been downloaded more than 200,000 times after they were placed on the Marketplace.
The latest version of the Android operating system, known as Gingerbread, is not vulnerable to the exploits DroidDream uses.
Google has suspended three accounts being used by the developer of the apps.