Spammers have created a mobile botnet out of infected Android phones, making it easier and cheaper to spam large numbers of fellow mobile users.
Phones silently send out thousands of spam SMS messages without the users' knowledge to lists of victim phone numbers that the malware automatically downloads from a command-and-control server.
The infected phones receive lists of about 50 phone numbers and send them a message that falsely tells victims that they've won a free gift card, security company Cloudmark said. After it sends out that batch, the malware immediately calls back to the server for more numbers to spam.
As with traditional botnets , a network of infected "zombie" computers controlled by one central machine, victims often don't even realize their phones are infected or running nefarious processes in the background.
That means unaware victims could suddenly find themselves with a disabled phone because the service provider thought it was being used improperly.
Victims become infected after accepting an unsolicited invitation to download a free version of a popular game such as "Angry Birds Star Wars," according to Cloudmark.
"As your intuition may hint the offer is often times too good to be true," Andrew Conway wrote on the Cloudmark blog. "If you do download this 'spamvertised' application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet."
Every Android user should install and use mobile anti-virus software. Whether free or paid, it's better than nothing at all.
Follow Ben on Twitter.