An Android Trojan app that sends SMS messages to premium-rate numbers has expanded globally over the past year, racking up bills for users in over 60 countries including the U.S., malware researchers from Kaspersky Lab said.

The malware program, which Kaspersky products detect as Trojan-SMS.AndroidOS.FakeInst.ef, dates back to February 2013 and was originally designed to operate in Russia.

The Trojan disguises itself as an application for watching porn videos, but once installed on a device it downloads an encrypted configuration file and starts sending SMS messages to predefined premium-rate numbers, depending on the user’s mobile country code.

For example, when the malware encounters mobile country codes—special codes used by carriers to identify mobile networks in different countries—in the range of 311 to 316, which correspond to the U.S., the malware sends three messages that cost $2 each to 97605, the Kaspersky researchers said in a blog post Wednesday.

The malware can also intercept incoming messages and can receive commands from command-and-control servers to send specific text messages to particular phone numbers.

And there's more than one

The Kaspersky researchers have identified 14 different versions of Trojan-SMS.AndroidOS.FakeInst.ef and determined that the malware has spread to 66 countries.

“This particular program was the first SMS Trojan to reach users in the U.S.,” said Roman Unuchek, senior malware analyst at Kaspersky Lab via email.

According to the antivirus vendor’s statistics, the number of Trojan-SMS.AndroidOS.FakeInst.ef victims in the U.S. is still low, with the largest number of infections being recorded in Russia and Canada.

Cybercriminals have used premium-rate SMS Trojans for years to steal money from Android users in China, Russia and other countries where the use of non-official app stores is common. However, Trojan-SMS.AndroidOS.FakeInst.ef and another widespread Trojan called Trojan-SMS.AndroidOS.Stealer.a, which has support for 14 countries, suggest a global escalation for this type of threat.

“It appears that the cybercriminals have built up sufficient resources to expand their illegal business on a global scale,” Unuchek said.

The Kaspersky researchers did not clarify how the rogue apps that carry this Trojan are being distributed. The apps are not likely downloaded from Google Play, because Google has gotten much better at policing its app store in recent years. So Android users are probably affected after specifically configuring their phones to allow the installation of apps from “unknown sources.”

Many users might have that setting enabled because it’s needed to install some legitimate applications that can’t be distributed through Google Play for policy reasons—for example some online poker clients. In addition, attackers could also use social engineering techniques to trick users into enabling support for unknown app sources.