Excerpt from a timely Android app security reality check
This past July, for example, researchers discovered that a free "wallpaper" program for Android called Jackeey collected personal information including the user's phone numbers, voice-mail information, and carrier data, and sent it to a website in China. Then in August it was found that a free game called Tap Snake is actually a tool for covertly monitoring a person's location. Tap Snake runs as a background service and sends the location of a phone to a website; the person who installed the game on that phone could then monitor the phone's location with another program called GPS Spy.
Tap Snake doesn't violate the Android security model: the program requires the ability to run as a service, monitor GPS position, and communicate over the Internet. But there are two problems with the Android security model. The first is granularity: although Android programs are required to tell the user which permissions they use, that doesn't explain what the apps actually do with these permissions. The second problem is engagement: the model requires that somebody use this information and take responsibility for the user's security.