On Monday Google had to pull 21 applications that had been downloaded a total of 50,000 times from the Android Market because they were infected with an exploit called 'rageagainstthecage'. Website "Android Police" quotes redditor lombpolo who discovered the flaw - essentially 21 apps existing apps had been infected and republished under slightly different names. So not only is it possible to publish malware to the Android Market, it is also possible to publish apps that have been ripped off from another person and renamed to the Android Market. While Google did pull the apps as soon as they were made aware of the problem - 50,000 downloads is a lot of infected mobile devices.
This brings up some interesting security questions about the Android market. While there have always been concerns about 3rd party app repositories, it seems that the legit ones aren't going to be all that much safer. Organizations that allow the deployment of Android Phones to interact with corporate mail systems now need to come up with a way of dealing with users being able to easily source and install malware on their handsets. Malware that can be used to attack and compromise the internal network. What needs to happen is that Google needs to check all the apps before they are published to its marketplace, rather than only responding to infected applications in a post-hoc manner.
You can get more info here at the original "Android Police" site: Android Police