Nearly 4.5 million Android users in the US have fallen prey to malware that converts headsets into botnets to send spam, highjack emails and buy event tickets in bulk through the infected systems.
First detected in 2012, the NotCompatible.C bug is in its third iteration in the wild, according to security firm Lookout.
Malicious codes are used to infect websites that are accessed by phones and as the user visits the site, they are prompted to download the malicious codes. This is known as "drive-by download."
The attackers use spam email campaigns disguised as weight loss solutions to make users download the malicious codes.
Attackers had previously sent spam to hijacked email accounts, but this time the hackers are trying to convert the infected systems into bonets to use it according to their requirements.
Lookout said: "At its heart, NotCompatible.C is an unrestricted proxy on a mobile device that offers the operators unfettered access to protected networks to which these devices connect."
"An infected [smartphone] present on an enterprise network would potentially allow attackers to enumerate vulnerable hosts inside the network, exploit vulnerabilities in these hosts and exfiltrate data."
The company also noted that the malware is also causing severe battery drainage.