Technical University Berlin researcher Ravi Borgaonkar discovered a series of websites that trick users into entering a malicious code that initiates a factory reset on devices running Android 2.3 and up.
Google has issued a fix to protect users against the malware after it emerged that handsets running its operating system are incapable of telling the difference between the reset-triggering USSD codes and a standard phone number.
Some of the malware was found to be targeted towards Samsung devices, while others affected HTC, Motorola, and Sony Ericsson handsets.
Users are advised to ensure that their phone has the latest updates installed, but McAfee security expert Jimmy Shah points out that the malware is not especially useful to cybercriminals.
"There's no benefit to the attacker if they can't make money off it or they can't steal your data," he said. "It's really not that useful."
Earlier this year, it was claimed that Android handsets were being used as botnets to generate spam emails, but Google moved quickly to dismiss such reports.