In the last few days, several malicious apps have come to the attention of the Android community (and Google itself). It was discovered that one developer had stolen apps, modified them with code designed to harm users, and uploaded them onto the market. In addition, another altered and infected app which inflicts charges on the user was found on websites distributing pirated apps.
The first apps I mentioned were published by Myournet and were, in total, downloaded by users over 50,000 times. The apps would secretly root the device it was installed on, as well as steal information about the handset's settings, specs, cellular provider. The worst part about the apps is that they are able to secretly download more code onto the phone by itself. Once the app is installed, it can do what it wants and it is hard to say what it has done from that point on.
Check this list of the malicious apps completely and think back to whether or not you installed anything that sounded similar:
Super Guitar Solo
Super History Eraser
Super Ringtone Maker
Super Sex Positions
Hot Sexy Videos
Hilton Sex Sound
Screaming Sexy Japanese Girls
Falling Ball Dodge
Advanced Currency Converter
You won't find these apps listed on your phone any longer, as Google, once notified of the issue, quickly pulled the apps from the Market and from user's phones (like we saw one time last year.) Unfortunately, for those who did install those apps, that is not enough to keep you safe. Android Police writes that even though the apps have been removed, any extra code that the apps downloaded is likely still on your phone, doing its work unnoticed.
The AOSP exploit that these apps used has already been fixed by Google since the release of Android 2.2.2 and any other Android release since then, so if you're rocking Android 2.2.2 or up, I think you should be safe, but anyone running 1.5, 1.6, 2.1, or plain 2.2 should be concerned. However, this situation further highlights the disadvantages of giving carriers the ability to delay the release of new Android versions.
Android Central thinks that any phone which downloaded one of these apps should get a full system wipe and reset. They believe that the data wipe and factory reset which are available from inside the phone's settings may not be enough, and that to be sure the phone is clean, users that believe they are infected should look at possibilities such as "ODIN, RUU's, .sbf files or a trip to your carrier store if this is beyond your capabilities."
The second malicious app I mentioned in the teaser was found my Symantec, and was a concern because, besides it being a pirated Android app, it also contained a trojan (called "Android.Pkapps"). The app is a modified version of Steamy Window, and has been circulating on pirated Android app sites. The official version of Steamy Window which is available on the Android Market is not infected, and can be safely used.
The concerning thing about the pirated and infected version of Steamy Window is that it signs users up for a premium texting service without the users knowledge, then it secretly sends off texts to that premium service, and at the same time, it blocks any incoming texts from the service, leaving users oblivious until their next bill from their cellular provider arrives.
If there was ever any doubt in your mind that you don't have to worry about what permissions an app is asking for upon install, let these two cases remove any doubt. Any time you install an app, check and see what permissions are being asked for.
Getting an anti-virus application would also be a good idea. I have one myself, and while it does add some time between the download and install of an app (and other actions), it provides piece-of-mind for those concerned about their security.
Image from Android Police