According to Sophos, First Tech Credit Union has discovered the Droid09 app - which claimed to be a mobile banking application - on Android Market. Those that used the app would have seen their banking logons and passwords stolen by cybercriminals, possibly for use in ID theft.
The security vendor says it has not yet seen the malware, which has been removed from the Android app store.
"Although malware has previously emerged for jailbroken iPhones (such as the infamous Rick-rolling Ikee worm) the malicious applications have not made it onto users' iPhones via Apple's highly guarded AppStore," Graham Cluely from Sophos said in a blog.
"The Android marketplace, however, is not as closely monitored as Apple's equivalent, and adopts a more 'anything goes' philosophy. This, combined with the current buzz around new phones running Android such as the Google Nexus One, may make the platform more attractive to cybercriminals in future."
Cluely added that as more and more users inevitably take advantage of smartphones to access their bank accounts in the future, the temptation for hackers to exploit systems may become greater.
See all mobile phone reviews