NYTimes reported on the malicious software spreading on Android phones.

A particularly nasty mobile malware campaign targeting Android users has hit between four million and 4.5 million Americans since January of 2013, according to an estimate by Lookout, a San Francisco mobile security company that has been tracking the malware for about two years.

How Android phones get infected:

Criminals infect smartphones primarily by infecting legitimate websites with malicious code. When victims visit the site from their mobile phone, they inadvertently download the code, in what is known as a “drive-by download.”

In other cases, the attackers sent spam from hijacked email accounts to their victims. That technique, Lookout’s researchers say, successfully caused more than 20,000 infections a day. More recently, researchers say, attackers have been tricking their victims into installing the malicious code by disguising it as a “security patch” in an email attachment. In others, spam emails advertised weight loss solutions with a link that served up malware to Android users.

Goals of the malware:

The attackers goal, researchers say, is to infect as many smartphones as possible and turn them into a so-called botnet, a network of infected devices that can be used by attackers for various malicious purposes. Lookout’s researchers say there is evidence that Not Compatible’s authors are renting out control of infected mobile devices to people who have used them to simply send out more spam or buy up event tickets in bulk from Ticketmaster, Live Nation, EventShopper and Craigslist. Some have used infected devices to try to crack WordPress accounts.

If you suspect your phone might have been infected, download the malware detection app and do a scan.