It's almost certain that the controllers of NotCompatible are using stolen credit cards to purchase products, said Mahaffrey: There's little reason to divert traffic through a proxy if the purchases are legitimate.

NotCompatible uses a never-seen-on-Android attack vector, Mahaffrey and other security experts said this week. "This is the first time that [attackers] have used legitimate websites to serve Android malware," said Mahaffrey. "That's what caught our eye.... We see Android malware all the time, but it's usually served using social engineering."

Mahaffrey was referring to the tactic of enticing users to download and install Trojan horses posing as legitimate apps.

When Android phones or tablets browse to one of the compromised websites, the devices are shunted to hacker-controlled servers, which then automatically download NotCompatible. The malware poses as a security update and asks the user to approve the installation.

While some media reports have characterized NotCompatible as a "drive-by" attack, that's not entirely accurate, said both Mahaffrey and Liam O Murchu, manager of operations with Symantec's security response team. At least not according to the usual definition of the term.