One of the world's most prolific Android malware instances is still the most prevalent piece of malware more than two years after it first emerged.
The capable trojan known as Ghost Push infects Android up to version five, aka Lollipop, still employed by about 57 per cent of all users.
Ghost Push won't run on Android version six, Marshmallow, and the recently released version seven Nougat which together account for about 10 per cent of Android devices.
Cheetah Mobile researchers say most infections come from malware-laced installations of pirate and open source apps offered outside of the Google Play store.
"So far, this trojan family represents most infections," the researchers with the popular Chinese antivirus firm say.
"[The trojan] is able to root almost all Android versions except for Android 6.0.
"The trojan also leverages the SU files of several different parameters which are able to prevent other third parties from gaining root privilege."
One application MXplayer is a legitimate file explorer application hosted on the Android XDA forums popular for its lack of spam ads and features common in equivalent Google Play apps.
The researchers say Ghost Push spreads through pornographic websites and deceptive advertising.
Users should update their handsets to the latest versions of Android as soon as new updates are released, and incline towards pure Android devices like Nexus and Pixel for the fastest application of patches.
Those with handsets abandoned by their phone manufacturers - typically 18 months after devices leave retail shelves - should consider running third party ROMs like Cyanogenmod and NamelessROM which are often updated weekly and run a purer strain of Android. ®