This news article about the “first” (a claim I sortof doubt) Android SMS trojan highlights to me the way that operating systems can only go so far in protecting their users.

The malware in question is a media player that secretly sends SMS messages to “premium” text messaging numbers that bill you for $5, similar to the “Text XYZZY to IDKFA to donate $10 to the Red Cross” programs. About halfway through the piece, though, they talk to someone from Google who points out that the malware only works because people installed it.

Moreover, when you install an application on Android, it explicitly warns you of all the permissions that the program is requesting. So these people installed a media player that, right there on the install screen, said it was going to require the ability to send text messages.

I know blaming the victim is kinda frowned upon here, but Google is doing everything they possibly can. Sometimes you want an application to send texts for you. Sometimes you don’t. You just have to actually look at those permissions.