The style of attack is known as a drive-by download and is common on the desktop: When someone visits a hacked website, malware can transparently infect the computer if it doesn't have up-to-date patches.

"This appears to be the first time that compromised websites have been used to distribute malware targeting Android devices," on its blog.

Lookout said it noticed that "numerous" websites had been compromised to execute the attack, although those sites had low traffic. The company expects the impact to Android users will be low. The malware that tries to install itself, dubbed "NotCompatible," appears to be a TCP relay or a proxy.

"This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy," Lookout said. "This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government."

NotCompatible will automatically start downloading if the hacked website detects an Android device is visiting by looking at the web browser's user-agent string, which specifies the device's operating system.