Typical incompetent crap
This article contains the typical incompetent crap you can expect from an ElReg article. The only surprising thing is that the blame does not lay only on the stupid journo who has written it (as is usually the case) but also on the AV companies from whose blogs he has taken the info.
You see, folks, there ain't no such thing as "Android Instagram SMS Trojan". This thing is not specific to the Instagram app in any way. You see, the scam works like this.
There is a site (a whole network of sites, actually), which claims to be a repository of Android apps - mostly free ones. It's not a market, technically - it's just a site from where you can download app. The site is Russian. Why would anyone want to use a dodgy site instead of the Google Market/Play or whatever it is called this Thursday? Beats me. We're talking Russia, remember? Maybe they don't have an easy enough access to all these apps - remember, Google restricts them by country. Maybe it's too slow or expensive to connect to the genuine market. Maybe they just don't know better. Whatever.
Any time the (l)user tries to download an app from these Russian sites, no matter which app s/he has specified, s/he gets something completely different. It is actually a "download app". This app sends 3 SMS messages to premium numbers (some variants even say that they would do so, although they don't specify clearly the numbers and the costs) and then download the real app that the user has ordered. Which app it is is written in a data file inside the APK file (APK files are ZIP archives) of the "downloader app" - but the code of the "downloader app" is one and the same, no matter which particular (genuine) app the user has ordered.
In addition, random data files are added automatically to the APK file of the downloader, in to fool AV programs that depend on whole-file checksums. This is done automatically before every download of the "downloader app".
But that's not all. In addition, very often (almost every workday) the code of the "downloader app" is edited manually, some trivial changes are made in it (e.g., the classes are renamed, some lines are switched around, variables are defined, etc.) and the "downloader app" is recompiled. This is done in order to fool AV programs that checksum the file inside the APK archive that contains the actual code (classes.dex).
So, basically, the thing uses server-side polymorphism. It's a downloader and it is stupid to name it after one particular app that the original researcher has initially downloaded without thinking or analyzing the thing.
It's not really new, either. It's called FakeSMSInstaller and has been around for several months already. But since a new variant appears almost every day, some poor excuse for an AV researcher has decided that they have found something genuinely new. Not so, grasshopper!