G DATA spokesman Christian Lueg says the phones appear to have been installed by middlemen, but in tracing the source "we lost the trail in China."
Users can detect some malware with free softwareand set up their phones to avoid more of the bugs, like the "Certifi-gate" vulnerability, by not downloading third-party apps from sources outside the official app store.
Limiting automatic retrieval of messages can also help reduce the chances of unintentionally downloading malware, as was the case with the Stagefright bug -- called "the mother of all Android vulnerabilities" when it was discovered in July.
Though manufacturers and software makers create patches to help fix some of the holes exploited by malware, not all patches will work on every phone since Android users are often running different versions of the operating system.
More than 1.1 billion Android smartphones are expected to ship in 2015, a 79 percent share of the global market, according to a report by the industry analystIDC.