The malware is affecting all the versions of Android prior to version 4.2.2 (Jelly Bean).
"It has been observed that a critical vulnerability exists in Android which could allow attackers to inject malicious code into legitimate applications which makes it possible to change an application's code without affecting the cryptographic signature of the application, essentially allowing a malicious author to trick the Android device into believing that the crafted application is unchanged," the Computer Emergency Response Team-India (CeRT-In) said in its latest advisory to Android users in the country.
The malicious programme, the advisory said, is so damaging that it could be used for stealing personal information like email addresses, IMEI numbers, SMSes and installed applications.
"It could also send SMS or make calls from infected devices without user consent," the sleuths of the national cyber security centre said.
"An attacker could exploit this vulnerability by placing other files with same name into an application package along with the legitimate files. The Android package verification occurs against the first file during installation. Thus, the crafted .APK passes the verification process and installs the second file. However, at runtime, other malicious file gets executed," the advisory said.
The cyber police have also suggested some countermeasures.
"Check for the permissions required by an application before installing, exercise caution while visiting untrusted sites for clicking links, run a full system scan through a device with a mobile security solution or mobile anti-virus solution, do not download and install applications from untrusted sources and download applications only from trusted sources, reputed application markets and Google play store," the security agency said.