Thanks to a tip-off by a redditor, and some investigation by Android Police, Google has pulled 21 Android Market apps that were infected with a backdoor Trojan rootkit. If you downloaded any of the infected apps, they will be automatically deleted from your phone.
The attack vector was ingenious, and plays on the Android Market's biggest weakness: the almost complete absence of app moderation. The nefarious developer crafted 21 apps that share the name of legitimate apps (such as 'Chess'), and into each of them he inserted some Trojan code. The apps then quietly report your sensitive data back to a remote server, while you play with your free app.
According to Android Police, the apps include a feature that automatically roots the phone (using the well-known rageagainstthecage rooting tool), which allows it to download and execute arbitrary code. Even though Google has pulled the infected apps, these downloaded bits of code could still remain on over 50,000 infected devices. If you think you be infected, you might want to perform a factory reset.
The scary thing is, there's nothing to stop the same app publisher from creating more malware-infected apps in the future, perhaps with the grander plan of creating a botnet. That's the problem with unmoderated ecosystems like the Android Market: you have to take the good with the bad, whether you like it or not. It's a bit like the Wild West in that regard.