Web users suspect a Shanghai company is behind a virus that has infected 1 million smartphones, stealing private information and money.
The "Geinimi" virus is considered as the most serious attack so far against Google's Android operating systems, warn phone security experts.
It steals data and triggers automatic downloads of other fee-charging malware to users' phones.
But behind the virus, web users believe they have discovered a grey industry targeting the Android operating system, where small companies have united to develop malware to fleece unwitting victims.
Web users on cell phone forum bbs.gfan.com reported how they came upon the name of local company "The Advertising Companies' Union" after they logged on a now-banned website, www.geinimi.com.
They claim the website assigned "missions" to anyone intending to work for it - to spread infected games and software to major forums and get a share of income once "the job's done."
Once smartphone users download this infected software, it uploads their personal date to a remote server, triggering the automatic download of other malware.
This can lead to huge costs in communication and software service fees, while users are blissfully unaware that anything is happening as the virus blocks warning messages from the phone operator.
According to the forum users, the advertising company makes its money through its Geinimi software, which facilitates the automatic downloads of other software companies' products. They charge cell phone owners, and the advertising company takes its cut.
Although forum users tracked down The Advertising Companies' Union to the city's Caohejing Hi-tech Park in Xuhui District, the company and its website "vanished" after an anti-virus company detected the virus and warned the public.
NetQin Co., one of the country's leading phone security companies, said the virus surfaced at the end of last November and had infected at least 900,000 phones across the country by the beginning of January.
Its engineers advise Android users to only download well-rated applications on the Android Official Marketplace.
Users can check whether their cell phones are infected by sending short messages to their phone operator. If the replies are blocked, the phone could be infected.