Hundreds of thousands of Android phones have become infected with a malware programme that uses the handsets it controls to send spam and bulk-buy event tickets.

The bug, called NotCompatible, has been described by mobile security company Lookout as the most sophisticated it had ever seen.

Jeremy Linden, a security analyst at Lookout, said to the BBC: “The group behind NotCompatible are operating on a different plane to the typical mobile malware maker.” Apparently, the bug’s core code has recently been rewritten to make it harder to thwart. Usually, according to Linden, mobile malware efforts only last a couple of weeks but the NotCompatible makers have been operating for over two years, with the programme itself first appearing in 2012 and currently inhabiting its third iteration, reaching a level of sophistication comparable to malware aimed at desktop computers.

“[The makers] are successful enough to make it worth ripping out the back end of the malware to make it be much more stable and resistant to efforts to take it down,” he said. This third version of the software, Linden added, uses end-to-end encryption, peer-to-peer networking technologies and stealthy operating procedures to help it avoid being spotted.

Once a phone is infected with NotCompatible, according to Linden, it’s enrolled into a network that is being rented out to any criminal group that needs a source of Android users. The phones are then used for a variety of tasks, such as sending spam, attacking blogs hosted on WordPress and bulk-buying tickets for popular events that are then resold at a large profit. NotCompatible is spread via spam and websites seeded with booby-trapped downloads. Linden urged Android users to be wary of any app that needs a security update to be installed before it runs.

“This is the most technically sophisticated threat we are facing and it’s the most worrying to us,” he said.