HippoSMS was only published to unauthorized Chinese app stores, however.

Like almost all Android malware, HippoSMS piggybacks on a host app and is installed when that app is downloaded and approved by the user.

Its makers are monetizing the malware by forcing an infected smartphone to text a premium number -- attackers are paid a portion of the revenues earned by such numbers -- but they're also trying to hide that behavior from users.

"It will delete any SMS message if it starts with the number '10,'" said Jiang, noting that numbers such as "10086" and "10010" are used by Chinese mobile service providers to notify customers about ordered services and their current bill balances. "We believe the removal of the related SMS messages is used to hide the additional charges caused from the malware," Jiang said.

Both Lookout and Jiang said one way that Android users can avoid malware is to carefully examine the access permissions an app asks for.