"Drive-by" typically describes attacks that are automatically triggered as soon as a user browses to an infected website, and rely on unpatched vulnerabilities to install malware.

That's not the case with NotCompatible, which although it's downloaded to an Android phone or tablet automatically, still requires some help from the user to be installed. NotCompatible does not exploit an Android vulnerability.

Only devices that allow app installation from 'Unknown Sources' -- in other words, from sites or e-markets beyond the official Google Play app store -- are susceptible to infection, said Lookout and Symantec, which has also .

Such installations, called "sideloading," are often a trait of corporate-owned or -managed devices, since the setting lets IT administrators, or employees for that matter, download and install company-designed apps.

That was one of the reasons Lookout first suspected that the malware was targeting enterprises, perhaps using the Android proxies as a way to conduct reconnaissance of corporate resources, or even using them to transfer stolen data from hacked businesses.