Dubbed DDSpy, the malware hides in the app list and waits for instructions that can be delivered via SMS from a remote server.
"When DDSpy receives a command, it will configure the uploading email address and determine what content to steal. Our research shows that itís capable of uploading the userís SMS, call log, and vocal records," the researchers pointed out.
"In addition, it reserves a GPS-uploading interface for future development. Because of this strange activity, we are concerned that it will evolve into more malicious spyware."
The malware initiates the recording of phone calls either when it receives the command to do it or when it detects outbound calls, and stores the recordings on the phone's SD card. Once a day, all the recorded information is sent to the remote server.
The researchers didn't say where they found the app or whether an attacker must have physical access to the victim's phone to install it, but it's safe to say that if you find a Gmail app in your device's app list and you haven't put it there, it's unlikely a good thing.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.