A Trojan in a media player's clothing
The file appears to be a normal 13KB APK file like all Android app packages. When the Trojan is installed, it begins running in the background and sending SMS messages, without the user's consent, to premium rate phone numbers. The individuals that designed the malware own the numbers and collect the fees from users resulting in a nice payday.
This outbreak is currently confined to Russia, and is likely to stay there. The distribution mechanism is slow, and only Russian users can lose money to the SMS charges. Although, the app could be installed on anyone's phone.
The good news
The list of permissions for this Trojan would include a heading titled "Services that cost you money". Under that, the function Send SMS would be displayed. Users have to ignore this, and tap to allow the app to install. We're certainly under no illusions that users look at all the permissions when installing apps, but when using a non-Market source, it is very important to do so. If a media player tells you it needs to send SMS messages, something is afoot. But at least some individuals ignored this and went ahead with the installation.
Even with this Trojan installed, hope is not lost. We need to leave the Windows malware mindset behind to understand why. On a real computer, you have access to the entire system. Therefore, viruses have that same access. A virus can change registry keys, attach itself to core system files, and evade uninstaller programs. Android apps are run "sandboxed". This means they do not have access to other applications, the core OS, or the hardware except through the tightly controlled channels laid out in the SDK.
This Trojan operates in the same sandbox that other apps do. It cannot write copies of itself to the phone's internal storage, change system files, or remove itself from the app management interface. The only way an app can hide itself is to neglect to put an icon in the launcher. This in and of itself may be suspicious though. If a user wishes to remove malware upon discovery, they need only find it in the list of apps, and uninstall it. There is no worry that pieces of it are still living on in secret like with a PC virus. When it comes down to it, this SMS Trojan is just an app, a malicious app that does unscrupulous things, but still just an app.
Do you need Android antivirus?
DroidSecurity's Antivirus app purports to scan app packages, settings, content, and media for malware. All we have ever seen it do is warn us to turn off the unknown sources toggle. At this time, there is no reason to recommend Android users start running Antivirus apps; especially considering the system resources needed for real-time scanning. Many of these apps use upwards of 20MB of RAM and a fair amount of CPU time.
Let's say that malware on Android does start to become more common. Is there a way for antivirus apps to work? These malicious apps will probably always need user interaction to infiltrate the phone. There shouldn't be any danger (baring some flaw in the Android OS) of remote attacks, or "drive-by downloads". As such, real-time scanning is probably not needed. Users could simply use an antivirus app of some sort to check any APK files they download before installing them.
We carry our entire lives around with us in our smart phones. This treasure-trove of data is of great interest to certain dodgy elements of society. It's not just the data, but the ability to make a quick buck, like we've seen in this case, that will drive people to exploit smart phones. Android's open ecosystem is more conducive to malware. However, the robust manner in which Android warns users of app permissions, along with its basic sandboxing security will make spreading of malware harder. The malware makers may always need a bit of social engineering to get their software on people's phones.
For now, you shouldn't worry too much. There is no way for your phone to just pick up a virus. It would take significant action on your part to install malware. There may come a day when some exploit is found that changes this equation, but Android is safe for now. Do you run Android antivirus software? Has it ever warned you of anything important?