I just read this story from BBC news...
Android hit by rogue app viruses
...this reinforces the idea that you should always check permissions before installing an app, even though I doubt this would help if the app included malicious code. I would like to see an explanation of why each permission was needed on the developer page, rather than just a statement saying "Requires full internet access" or whatever.
A few things we need to think about...
1) There is no guarantee (or proof) that the anti-virus apps currently available are able to remove these threats, or for that matter if they are even capable of detecting them. I haven't seen any test results anywhere but I'd love to read about it if someone knows where there are some.
2) We should all learn now how to re-install our firmware, whether it be replacing it with a custom ROM, or just re-installing the official operating system because currently, according to a couple of sources, that is the only way to be completely sure you have removed the virus. Of course those of us who are used to flashing new firmware are more than capable of this, but we need to be prepared to give help to people who might get into trouble.
3) Only ever install apps from the official Android market and not from any third-party websites or sources. If possible check out the associated developers page.
4) Be careful and observant about which apps we install. Do you really need that app that generates farting noises when you shake your phone? Really?
It was inevitable that malicious code would find it's way to Android. The operating system is simply too successful and widespread for it not to be looked at by criminals. The main thing to remember at the moment is don't panic, and be vigilant when installing new apps.
EDIT: More info IN THIS ARTICLE. - Thanks to HappyH for the link.
EDIT: THIS ARTICLE is also well worth a read.
EDIT: HERE IS A FIX for the current exploit, you may need an XDA account to view it.
There is word of a (possibly) worse exploit in circulation. Some apps have been stolen (as in the above stories) but these have been modified, recompiled, converted into Latin, then scrambled. All we know is that they have initiated a countdown. A countdown to what exactly is anybodies guess. So far, the experts have been unable to unscramble (and thus decompile) the apps, so we do know that something will happen to infected devices, at some point in time, but we don't know what or when.
It's great to know that Google jumped on the known malicious code within 5 minutes of being made aware of it, taking it off the market and (apparently) removing it remotely from handsets - I didn't even know that was possible! Unfortunately, removing the offending app won't remove any additional code it has installed.
But we can take some comfort knowing that Google are aware of a situation, and no doubt have raised their security level accordingly.
EDIT: List of known malicious apps (04/03/11) - with thanks to AndroidPolice (http://www.androidpolice.com)
The offending apps from publisher Myournet:
Super Guitar Solo
Super History Eraser
Super Ringtone Maker
Super Sex Positions
Hot Sexy Videos
Hilton Sex Sound
Screaming Sexy Japanese Girls
Falling Ball Dodge
Advanced Currency Converter
Over 30 more have been found by Lookout:
Advanced Barcode Scanner
Supre Bluetooth Transfer
Task Killer Pro
Sexy Girls: Japanese
Advanced File Manager
Magic Strobe Light
Advanced App to SD
Super Stopwatch & Timer
Advanced Compass Leveler
Best password safe
Advanced Sound Manager
Magic Hypnotic Spiral
Color Blindness Test
Tie a Tie
Basketball Shot Now
Quick Delete Contacts
Omok Five in a Row
Super Sexy Ringtones