IT security and data protection company Sophos is warning Android users about malware being distributed disguised as the popular photo-sharing app Instagram. 

Cybercriminals have created fake versions of the Instagram Android app, designed to earn money from unsuspecting users. Instagram was recently acquired by Facebook for $1 billion so there is a bit of interest in the outfit. Curiously, the malware contains a random number of identical photos of a man.

Graham Cluley, senior technology consultant at Sophos said that he had no idea who the man was or whether there is a reason why his picture has been chosen to include in the download.

"Could he be the malware author? A family friend? A celebrity? Someone who the malware author has a bone to pick with? We're hoping that the internet community will help us identify him and solve the mystery."

Sophos says that if Android owners download the app from unapproved sources, rather than official sites such as the official Google Play Android marketplace, they run the risk of infecting their smartphone. Once installed, the app will send background SMS messages to premium rate services earning its creators revenue. 

Sophos products detect the malware, which has been distributed on a Russian website purporting to be an official Instagram site, as Andr/Boxer-F. Cluley said that Android malware is becoming a bigger and bigger problem.  Last week he saw a bogus edition of the Angry Birds Space game and it’s quite likely that whoever is behind this latest malware are also using the names and images of other popular smartphone apps as bait.  

Infected Androids are now effectively part of a botnet, under the control of malicious hackers.  Android users need to be extremely careful when downloading applications from sites, especially when they’re not official Android markets.