Blue Coat researcher Andrew Brandt says ancient Androids can be hijacked with persistent ads that force victims to buy US$200 worth of iTunes gift cards.
Brandt considers the spam as ransomware since it traps infected Androids in a locked screen state until victims buy attackers gift cards which would presumably be later flipped for cash.
A majority of Android devices run older versions of the OS that lack the security improvements present in the more recent Lollipop and Marshmallow releases.
Brandt says attackers have since at least February used an exploit leaked in the Hacking Team breach and the 2014 TowelRoot exploit to deliver the ransomware without interaction.
"This is the first time to my knowledge [that] an exploit kit has been able to successfully install malicious apps on a mobile device without any user interaction," Brandt says.
"During the attack, the device did not display the normal application permissions dialog box that typically precedes installation of an Android application.
"In theory, it might be possible for Apple - or its iTunes gift card partners - to track who used the gift cards provided to the criminals, which may help investigators identify them."
The TowelRoot exploit once executed downloads the ransomware malware which then runs on boot and kills other apps.
Users can still copy their files from infected devices before entering recovery mode and flashing a clean - and preferably updated - Android operating system.
Brandt found 224 devices infected since February of which some are thought to have been infected using unknown alternative exploits to the Hacking Team code.
Blue Coat examined the malware on a device running the custom Cyanogenmod 10 cur of the Android 4.2.2 operating system. ®