Tap Snake, an version of a 1970s-era video game called "snake," is available from the Android Market online store.
Though the application appears to users as the original version of the game, it can also be secretly used as a client for a $4.99 commercial spying application called GPS Spy, both companies warned in separate advisories this week.
Once installed, a third party who gains access to the Android device can program the game to secretly report its location at any time to another system running GPS Spy. The Tap Snake software is designed to continually run in background on an Android-based system.
"GPS Spy downloads the [Tap Snake] data and uses this service to conveniently display it as location points in Google Maps," Symantec said in its advisory. "This can give a pretty startling run-down of where someone carrying the phone has been."
The GPS data includes the date and time of a user's location at the time the data was sent.
A potential attacker would need physical access to an Android device in order to enable the game application's spying capabilities, noted Sean Sullivan, a security researcher with F-Secure.
To enable tracking by GPS Spy, an attacker would need to install the game on a device, and then register the game by entering an e-mail address and a specific 'key,' he said. This same registration information must later be typed into the phone running GPS Spy in order to enable tracking.
Though there are similar spy tools for Android, iPhone and other mobile devices, "what's unique about Tap Snake is that it doesn't declare what it is when you register the game," Sullivan said, "You put in the e-mail, you put in the keycode it starts to do the spy work," without any notice, he said.
"There are plenty of applications available that do the same thing and disclose this information up front, and do not claim to be something else--the primary reason we consider this a Trojan," Symantec noted.
Though the Trojan allows for pretty intrusive tracking, the risk to users is somewhat mitigated because the program requires the attacker to have physical access to an Android. Even so, users would do well to password protect their phones, Sullivan said. "If your phone is locked, nobody has access to it.
A Google spokesman downplayed the warnings, saying the concerns relating to the applications were being overstated. "When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a phone's GPS location," the spokesman said in an e-mailed statement.
"Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time. They can also view ratings and reviews to help decide which applications they choose to install. We consistently advise users to only install apps they trust," the spokesman said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.