The Web-based Android Market store's Web site was launched only Wednesday, and already vulnerabilities are cropping up.

Researchers at Sophos, a computer security firm, have found that while buying an app for the Android phones is convenient, it automatically downloads the app to the mobile device once the user chooses the app on the Web site - not necessarily when the phone is engaged. The software also automatically installs. This leaves the door open, he said, for malware or viruses.

Vanja Svajcer, principal virus researcher at SophosLabs, writes that anyone downloading apps from the Android Market should check carefully what permissions they are giving to the app. Legitimate apps will be clear about it, and any app that asks to send and receive SMS texts should be considered suspicious.

To access the Android market a user need to use his or her Google password. That makes accessing the store more convenient - there is one less password to remember. But it also gives anyone who obtains that password another device to exploit.

Svajcer suggests that Google - at a minimum - add a dialog box to the receiving device, so that before it downloads and installs on a phone, for example, a user has to hit an accept button.

Until that happens, Svajcer says choosing a strong password is never a bad idea. Most people don't choose very strong ones - the most common is a simple one such as 12345 or the user's last name. Dictionary words are also not always very strong as a computer can often guess them.

Sophos has a short video on how to choose a strong one that is easy to remember, involving the use of phrases and using the first letter of each word.

A Google spokesperson said via email that the company hasn't seen any bad apps yet, nor are there indications this method of attack has been used. This theoretical threat presupposes a compromised Google account, and Google had worked hard to reduce the possibility of hijacking accounts through tools like phishing and malware detection in Chrome and Gmail, default HTTPS in Gmail, 2-step verification, and others, he said. As always, we take swift action against apps and developers who violate our policies.

To contact the reporter responsible for this story call (646) 461 6917 or email