"It wasn't difficult to build," said Nicholas Percoco, head of Spider Labs, who along with a colleague, released the tool at the Defcon hacker's conference in Las Vegas on Friday.
Percoco said it took about two weeks to build the malicious software that could allow criminals to steal precious information from Android smartphones.
"There are people who are much more motivated to do these things than we are," he added.
The tool is a so-called root kit that, once installed, allows its developer to gain total control of Android devices, which are being activated by consumers at a rate of about 160,000 units per day, according to Google.
"We could be doing what we want to do and there is no clue that we are there," Percoco said.
According to Reuters, The test attacks were conducted on HTC Corp's Android-based Legend and Desire phones, but he believed it could be conducted on other Android phones.
The tool was released on a DVD given to conference attendees. Percoco was scheduled to discuss it during a talk on Saturday.
Google and HTC did not immediately return calls for comment.
Some 10,000 hackers and security experts are attending the Defcon conference, the world's largest gathering of its type, where computer geeks mix with federal security officials.
Attendees pay $140 in cash to attend and are not required to provide their names to attend the conference. Law enforcement posts undercover agents in the audience to spot criminals and government officials recruit workers to fight computer crimes and for the Department of Defense.
Organizers of the conference say presenters release tools such as Percoco's root kit to pressure manufacturers to fix bugs.
(Reporting by Jim Finkle; additional reporting by Alexei Oreskovic in San Francisco; editing by Andre Grenon)