Google has greatly increased security in its Android app store in the past year, but there's still one way in which Apple has it beat.
Except in special cases, Apple doesn't let apps change their own code after installation. Google does, which is probably how two malicious apps snuck into the Google Play app store on June 24 and stayed there for more than two weeks.
The two apps, a counterfeit version of "Super Mario Bros." and a fake twist on "Grand Theft Auto" called "GTA 3 — Moscow City," seemed normal enough at first — normal enough to avoid being caught by Bouncer, Google's automated app-screening tool.
But after installation, each app reached out to a Dropbox cloud-storage account and downloaded an extra component, or "remote payload" in security-speak, called "Activator." Activator silently sent out premium-rate text messages that the user wouldn't learn of until the following month's phone bill.
"What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered," wrote Symantec's Irfan Asrar in a blog posting announcing the discovery of the malware. "Our suspicion is that this was probably due to the remote payload employed by this Trojan."
The two apps were downloaded between 50,000 and 100,000 times, Asrar noted, until Google removed them from the app store after being notified by Symantec.
The apps targeted Russian-speaking Android users, who tend to live in countries where governmental and carrier supervision of premium-rate text-message companies is lax. (Premium-rate text-message scams are practically nonexistent in North America.)
Asrar pointed out that Activator did warn users that it could send out SMS messages — but only after it had already done so.
To avoid being scammed by dodgy Android apps (which unfortunately still crop up in Google Play), take a look at the developer of an app before you download it.
Every gamer knows that "Grand Theft Auto" is made by Rockstar Games, and that "Super Mario Bros." is made by Nintendo, yet neither company was involved in creating these two fake apps. (Nintendo has NO apps in either Google Play or the iTunes App Store.)
So don't download obviously counterfeit apps. If you do, you'll get what you (don't) pay for.