Aaron Gingrich, for Android Police:
Openness — the very characteristic of Android that makes us love it — is a double-edged sword. Redditor lompolo has stumbled upon a perfect example of that fact; he’s noticed that a publisher has taken ‘… 21 popular free apps from the market, injected root exploits into them and republished.’ The really scary part? ‘50k-200k downloads combined in 4 days.’
There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless. [emphasis mine]
(Via Daring Fireball.)
Do I even have to say it?