Google Android phones must be popular – they’ve just been targeted with their first Trojan. An SMS Trojan called Trojan-SMS.AndroidOS.FakePlayer.a has already infected a number of mobile devices, according to security firm Kaspersky Lab. Purporting to be a harmless media player application, the Trojan, once installed, actually sends out SMS text messages without the users’ knowledge or consent.

The Trojan penetrates Android-based smartphones disguised as an ordinary application, says Kaspersky. Users are prompted to install a small file of around 13 KB that has the standard Android extension .APK. But once the “app” is installed on the device, the Trojan bundled with it begins texting premium rate phone numbers (those that charge). The criminals are actually the ones operating these numbers, so they end up collecting the money via charges to the victims’ accounts.

From Russia, With Love

According to Denis Maslennikov, Senior Malware Researcher at Kaspersky Lab, there’s not an exact number of infected devices available at present, but the outbreak is currently regional. For now, only Russian Android users can actually lose money after installing the Trojan, but anyone can be infected.

The Trojan-SMS category of malware is relatively common in the mobile ecosystem, but this is the first to specifically target Android-based devices. However, FakePlayer is not the first malware designed for Android, says the firm, as there have been isolated incidents of Android devices infected with spyware, the earliest occurring in 2009.

The choice of targeting Android devices in particular should come as no surprise to those following mobile industry trends. Given Android’s meteoric rise in market share, it’s no surprise to Kaspersky, either:

“The IT market research and analysis organization IDC has noted that those selling devices running Android are experiencing the highest growth in sales among smartphone manufacturers,” says Maslennikov. “As a result, we can expect to see a corresponding rise in the amount of malware targeting that platform.”

Does Android Need AV?

According to a statement from Google, the application installation process is designed to protect users from attacks like these since it details what information and system resources the app has permission to access – such as sending an SMS. “Users must explicitly approve this access in order to continue with the installation,” the statement reads. “We consistently advise users to only install apps they trust. In particular, users should exercise caution when installing applications outside of Android Market.”

However, the release of a Trojan disguised as an app is an inventive way to get malware onto mobile devices. In this case, the Trojan takes advantage of users’ lack of attention to the installation process as well as Google Android’s openness – this operating system isn’t tied to a closely managed and “curated” marketplace of approved applications like the iPhone is with iTunes. Although Google does step in to remove apps from its Market when security concerns are present, nothing prevents developers – especially nefarious ones like these – from forgoing official channels and publishing their own apps elsewhere, then tricking users into installing them.

But even if the Trojan came through backdoor channels, it’s at least a small blow for an OS with security at the forefront of its design.

The security firm says it plans to release a version of Kaspersky Mobile Security for the Android operating system in 2011.

We can already picture the Apple vs. Android TV ads now: “iPhones aren’t susceptible to the viruses plaguing Android phones…” Justin Long will smugly state. Now, who will play “Android guy?”

Update: Added statement from Google.

Image credit in original post: Neonmonster, artist: Andrew Bell