"We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices," its report warned.
"Symantec recommends users only download applications from reputable Android application marketplaces."
The firm added that affected users could manually remove the software by going into their settings menu.
One telecoms consultant said the news highlighted the difficulty Google had in distributing changes to Android.
"When Google releases its updates, manufacturers want to check them and then network operators also want to certify the code as well," said Ben Wood, director of research at CCS Insight.
"It's a consequence of having so many different firms making Android devices, with most running their own user interfaces on top.
"By contrast, Apple just pushes its updates directly to consumers."