"I do think the bad guys are doing something like this, injecting their malicious code into existing apps," McNamee said. "It's pretty straightforward. It requires the ability to unpackage and repackage apps. It's not exceptionally tricky, but it does require some knowledge of how the Android system works."
Kindsight Security Labs previously reported, "It is surprisingly easy to add a command and control interface to allow the attacker to control the device remotely, activating the phone's camera and microphone without the user's knowledge. This enables the attacker to monitor and record business meetings from a remote location. The attacker can even send text messages, make calls or retrieve and modify information stored on the device - all without the user's knowledge."
The report added, "When connected to the company's Wi-Fi, the infected phone provides backdoor access to the network and the ability to probe for vulnerabilities and assets. With these features, an ordinary smartphone becomes the perfect platform for launching advanced persistent threats (APT)."
Sign up for CIO Asia eNewsletters.