A mobile malware campaign that targets Android users has infected up to 4.5m phones in America since January 2013, hijacking the phones and turning them into a so-called botnet.

The mobile malware, called NotCompatible.C, has been tracked by mobile security company Lookout, who provided the estimate figures.The company has been following the malware for two years, and has seen it grow increasingly sophisticated.

According to Lookout, there is evidence that the figures behind NotCompatible.C have been renting out control of infected mobile devices to send out spam and buy up event tickets in bulk from sites like Ticketmaster, Live Nation and Craigslist. Some have even used infected devices to try to crack into WordPress accounts.

Phones are infected when they visit legitimate sites that have been infected with malicious code, or through spam email from other hijacked accounts. More recently, attackers have been tricking victims into installing the malware by disguising it as a security patch in an email attachment.

“NotCompatible.C has set a new bar for mobile malware sophistication and operational complexity,” said Tim Strazzere, mobile security analyst at Lookout. “The command infrastructure and communication perseveres and self-protects through redundancy and encryption, making it elusive and enduring. Its an earthworm with its tail cut off that regenerates and thrives.”

Our flagship event, Mobile Marketing Life, takes place in London on 27 November. Brands go free. Book your place here.