Seems like we've been hearing about the security vulnerabilities of Android apps for a while and here's a test case. Steamy Window is a silly little app where you get a screen that looks like it has steam on it, then you can draw on it like you would a fogged up car window. The app was apparently downloaded, hacked into, a Trojan Horse installed, and then the app was rereleased onto third party Android app sites that Google doesn't control. If you install the infected version (which of course looks exactly like the non-infected version) the app sends out hundreds of text messages from your account, installs other infected apps, and takes over your browser. The hack was reported by the security firm Symantec.
The Trojan can "install other applications, monkey with the phone's browser bookmarks, surreptitiously navigate to Web sites and silently send text messages, said Thakur. The last is how the criminals make money. 'The Trojan lets them send SMS [short message service] messages to premium rate numbers,' said Thakur, for which the hackers are paid commissions."