The researchers say this appears to be the first time hacked Web sites are being used specifically to target mobile devices.
According to AhnLab, fully 42.6 percent of apps require excessive permissions for device information access.
The companies will work together on research and development, and will make Lookout's security app available to Deutsche Telekom's customers.
The proof-of-concept malware uses the device's motion sensors to steal passwords and other user data.
The malicious apps are being offered on Web sites that mimic the official Instagram site.
The operating system scored well for its security, authentication, device wipe functionality, firewall and virtualization.
Researcher Paul Brodeur created a proof of concept app that was able to access system information, along with data on the device's SD card.
Is your company prepared to manage the risks introduced by the BYOD (Bring Your Own Device) trend? Here's how to review and strengthen your organization's mobile security posture.
The malware has been found in alternative Android app markets, though it hasn't yet been found on Google Play.