In a statement, the company, formerly known as Kaspersky Lab, said the Trojan-Banker.AndroidOS.Gustuff had been noticed in recent traffic from its botnet tracking system.
The SMS campaign included messages like "Jassica shared an album with you hxxp://instagram-shared.pw/SexyJassica on Instagram Shared". If these messages were opened on a device which had an Australian IP address, the URL would redirect to the malware site and download it.
"Besides common technique of monitoring installed applications and overlaying them with a WebView, Trojan-Banker.AndroidOS.Gustuff now checks for URLs opened in a browser and is able to open a WebView with a fake site overlaying the original Web page," Oleg Abdurashitov, Kaspersky's head of APAC public affairs, said.
The trojan did not limit its activities to these two websites. Banking applications, payment applications and crypto-wallets were also targeted and users' credentials were harvested by either downloading a phishing Web page from a command-and-control server or by loading a Web page from the local archive on the device saved earlier by Gustuff and overlaying the original app interface.