In short, "viruses" are not an issue as the attribute of copying itself from one device to another is not a task anyone has managed to consistantly accomplish. Trojans are indeed a risk and that is what this topic is really about; programs installed by the user which carry a hidden payload. The risk is social engineering devices owners into installing the trojan applications. Of course, a big part of this is also due to manufacturers who do not provide firmware updates in a timely manner if they do at all.http://www.schneier.com/blog/archives/2011/11/android_malware.html
From what I can gather, there are a few things to consider as a device owner:
- buy from a reputable manufacturer who has demonstrated a history of shipping updated firmware for your device of interest. (if they don't ship updates, they are not reputable)
- install applications from the official repositories (market) only
-- read the application reviews first
-- look for applications with a broad user base; no "installed by five people" stuff
-- do not install everything under the sun just because it's available and you may have use of it one day. Like any OS; install only the applications you actually need.
- if you must install from outside the official repositories; accept that you are choosing to go it alone and be sure you trust the application source before "side-loading" it in.
Google could do more to manage the repositories too. If they are going to leave it wide open, consider something closer to the Debian method like the Nokia did with Maemo applications respositories; apps must pass vetting through a "development" respository before becoming available in the "stable/retail/public" repository. It doesn't have to be a hamfisted vetting process like Apple's but it sure should be more than allowing any developer to post up whatever trojan they can code over a weekend.
There was also a group that recently developed a business safe addon for Android. It basically partitions the phone into a "personal" and "business" segregated install. The idea is that the device owner can do whatever they like in the stock personal side and not have it access or otherwise affect the business side. The business side can be managed within the company policy seporate from the personal side. (I thought it was called "Red Phone" but that is a different app it seems) The group is supposed to give a talk and release it during one of the infosec conferences recently passed or coming up soon. (drat.. wish I could find the article about it now; be about three weeks old now?)
For me personally, the Nexus devices are the only Android fork of interest due to runnign stock Android and getting direct updates. Maybe my next upgrade will be the Samsung if I can get around the idea of how much information I'll be forced to feed back to Google's servers. Maybe my lovely N900 will hold out until the Motorola/Google merger ships a Nexus or similar reference hardware platform. We'll see since the current mobile offerings make me think more and more about going back to a dump/feature phone and a smart PDA/tablet.