Win McNamee/Getty Images
It's a banking "trojan," which is designed to steal its victims' banking details. One way it does this is by creating phishing windows designed to dupe users into entering their details. It can also read and and delete text messages sent to users by their banks.
The worrying part is how it makes its way to the victim's phone. Researchers from security firm Kaspersky found that it is being distributed by AdSense - Google's huge advertising network which is used by countless companies and people to display ads on their websites. Ads that are powered by AdSense appear everywhere from tiny blogs to the websites of international news organisations (Kaspersky researchers saw it appear on RT, the state-owned Russian media company); it's the single biggest ad network in the world.
Google did not immediately respond to a request for comment.
Kaspersky
And, as well as stealing financial data, it also spies on the victim more generally: "Svpeng collects an impressive amount of information from the user's phone - the call history, text and multimedia messages, browser bookmarks and contacts," Kaspersky researchers wrote in a blog post on Monday.
There are ways to avoid being infected. If users have their security settings set so their phone won't run apps from unknown sources, their devices won't be compromised. By default, Android won't run unknown apps - but it is sometimes necessary to change these settings (to install apps from third-party app stores, for example) - putting the phone at risk.
The malware appears to be specifically targeting Russian users, as it was designed to create phishing windows for a specific Russian bank. But it's still embarrassing for Google, and fuels the argument often made that online ad-blocking is sometimes necessary as a security measure to protect the user.
Ad networks used by media organisations have been caught accidentally delivering malware to readers before. Back in September 2015, for example, researchers found news site Forbes was accidentally delivering malware to users via malicious ads. The issue was subsequently resolved.