Malware called Dogspectus is installing ransomware on older Android devices without users realising, according to security firm Blue Coat Systems.
"An exploit kit being used to deliver ransomware to Android devices uses several vulnerabilities to install malware onto the victim's phone or tablet silently in the background," said Blue Coat director of threat research Andrew Brandt in a blog post.
The UK has a particular problem with Android malware, and Dogspectus is a new version of an ongoing problem, according to Brandt.
"This is the first time, to my knowledge, that an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction on the part of the victim.
"During the attack, the device did not display the normal ‘application permissions' dialogue box that typically precedes installation of an Android application."
The test device was running the Cyanogenmod 10 version of Android 4.2.2 at the time it was infected, suggesting that older phones and tablets might be vulnerable.
Brandt said that older devices, which have not been updated with the latest version of Android, may remain susceptible to this type of attack.
"That includes so-called media player devices meant to be connected to TVs, many of which run the 4.x branch of Android," he explained.
"Some of these older Android devices are now in the same situation as PCs running Windows XP. The OS may still work, despite no longer receiving updates, but using it constitutes a serious risk of infection."
Most ransomware attacks demand payment in bitcoins, but the Dogspectus hackers want iTunes gift cards, which could be an important clue as to the culprits.
"The ransomware doesn't threaten to (or actually) encrypt the victim's data. Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes," said Brandt.
"That's unusual because it's far more common nowadays for ransomware to demand non-trackable cryptocurrency like bitcoins. In theory, it might be possible for Apple (or its iTunes gift card partners) to track who used the gift cards provided to the criminals, which may help investigators identify them."
Brandt advised backing up content to avoid being caught out.
To hear more about security challenges, the threats they pose and how to combat them, sign up for V3 sister site Computing's Enterprise Security and Risk Management conference taking place on 24 November.
Mark Vartanyan was working for Norwegian e-healthcare firm Dignio when he was arrested
Samsung can't see a way to profitably compete against Amazon and Google
Fix being rushed out - but not quite as quickly as an ambulance to an emergency
Massive miner Rio Tinto claims 20 per cent of pit-to-port train kilometres in Australia are now driverless
Rio Tinto today, TfL tomorrow?