This Sort of Attack Can Take Place on Nearly Any Device
While it's easy to blame Android's ability to load apps from anywhere, the fact is that this sort of attack could take place on nearly any device through a link delivered by a text message or through an infected Web page. Getting the app installed on an Apple iOS device or a Research in Motion BlackBerry might be a little more difficult, but with appropriate social engineering, it's certainly possible. And, of course, this is the difficulty in defending Android devices against malware. The fact is that these are by design open devices. Android-based smartphones and tablets are intentionally designed to be able to use software from anywhere. The information anyone needs to develop apps, including malicious apps, is readily available and the development process is relatively straightforward. More important, you don't have to deal with Big Brother looking over your shoulder while you develop something truly cool. Or truly evil.Of course, the same thing is true for most of the malware that runs on iOS or BlackBerry OS. Regardless of how the rogue app arrived on your device, you still have to allow it to function the first time. Think about all of the times when you've casually granted trusted application status to some new app without thinking about why it needed that. While paying attention to what you're running and where it comes from won't solve the malware problem, it will certainly help control it.
Google does offer a protected area where you can find apps that have been checked and sanitized. That's the safe approach. But Android users have another option, which is to be educated about the device OS, and then to pay attention to what's happening when they install a new app. For the new app to work properly, you have to give it permission to access a variety of services on the device. Instead of simply answering yes to everything, perhaps it would make more sense to check the app out as much as possible before downloading, and then see if it asks for permission it shouldn't need. You can always say no.