The problem is that when customers buy applications for their Android devices, they are downloaded to the devices right away - without the customer having to approve the actual installation of the software, Sophos virus researcher Vanja Svajcer says in a blog post.
That could leave the device open to anyone who manages to steal its owner's Google password, says the security firm. "In summary," Svajcer says, "if someone managed to steal your Google password they could trick your Android smartphone into installing software, without you having to grant permission on the device itself."
The blog notes that when the applications are downloaded, it is done in the background, so customers would likely not be aware.
"The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence," Svajcer says.
Sophos recommends that Google change the procedure so customers have to approve the downloads. In the meantime, the company recommends that customers make sure they have strong passwords that are not easily guessable for their Google applications accounts.