WinCE/InfoJack installs unwanted files and steals user information, and also leaves phones vulnerable to further malware infections.
McAfee researcher Jimmy Shah reported on a
company blog that the Trojan changes the phone's security settings to the lowest level, opening the door for other malware to be installed without any warning to users.
The US Computer Emergency Response Team (US-Cert) noted that the Trojan also prevents itself from being deleted and changes the homepage on the user's web browser.
The malicious payload is buried within a number of otherwise legitimate downloads. Infected applications being served on the modified homepage include Google Maps, a number of games and stock-trading software.
Shah explained that the Trojan has been traced back to a single site in China which has since been taken down. The researcher added that, when questioned, the site's administrator had an interesting explanation.
"The maintainer of the website claims that the software was just necessary to collect information on the types of mobiles used to access their site," wrote Shah.
"That would be easier to believe if they had notified the user prior to installation or if they had provided some sort of uninstall method."
US-Cert urged users to install and maintain antivirus software and be wary of applications they install on their mobiles.