Experts have said the spying bug was made by people with a “great deal to lose if their identities were made public”.
An “extremely sophisticated” piece of malicious software has targeted embassies, financial institutions, oil companies and military bases across the globe.
Security Company Blue Coat says the virus, which the researchers have dubbed “Inception”, began by targeting Russian organizations, but spread to nearby countries including Ukraine and Uzbekistan, before hitting Europe.
Companies and institutions in Germany, France, Italy and Belgium have been affected.
The software, which spans 60 mobile networks, is delivered by highly targeted phishing emails, contained in Trojan documents.
Experts named the virus after the 2010 movie with the same name – because of the many layers used in the software design.
Snorre Fagerland, senior principal security researcher at Blue Coat, told Sky News: “I would say it smacks of government intelligence gathering. Particularly since we know the guys have been trying to break into embassies and the UN.”
Mr Fagerland went on to add that it was unlikely the malware originated from China or Eastern Europe.
The attack evolved to mobiles, targeting iOS, Android and Blackberry devices with phishing attacks.
The report says: “With the top three operators being Vodafone, TMobile and Proximus (Belgacom) it seems these apparent phishing attacks are less focused on the Russian sphere than the previously discussed malware.”
Belgian operator Belgacom was also the target on the Regin spyware which facilitated spying on computer users between 2008 and 2013 and was thought to be the work of either British or US security services
Mr Fagerland said Belgacom – a leading provider for EU workers in Brussels – was “an interesting focus of the attackers”.
The Android malware let the hackers record phone calls and extract them from a mobile, Mr Fagerland said.
He also told Sky News: “Another thing that is remarkable is the level of paranoia.
“They were not only hiding their identity, but planting false clues…This is made by people who would have a great deal to lose if their identities were made public.”
The malware was created in late May 2014 and started operating in June.
Mr Fagerland said the attack was on a similar scale to the Red October malware.