The move wasn't 100% effective. Third party Android app markets, not run by Google, may still have some Android malware that Google can't yet kill.
Google has been busy ever since, explaining the issue (it doesn't impact older versions of the Android system) and describing how it will try to keep this sort of thing from happening again, working with its partners.
Some of the tut-tutting talks about how Google needs to be more proactive, scanning for malware before approving applications. And that's fine. But what's being lost is the lesson that began this post.
Someone has to take responsibility for software after it's purchased. That costs money. But it also requires a top-down process through which orders, once given, can be carried out.
It's part of Black Duck's raison d'etre, as seen in its press release boilerplate:
Black Duck™ enables companies to shorten time-to-market and reduce development costs while mitigating the management, security and compliance challenges associated with open source software. (Emphasis mine.)
The problem is that services like this cost money. They have the impact of creating barriers to entry for open source projects, which can't gain traction in the enterprise space unless they're both willing to pay these costs and have a revenue-raising model in place for getting the money.
Another important lesson is that the lower in the stack you go, the more vital it is to accept this burden, even if what you're offering is free as in beer. Google has not monetized its ecosystem to nearly the degree that Apple has its, but as the operating system provider it has the same security responsibilities Apple has. Never mind that this is a Linux.
As I've said many times here, Google is lucky. Its business model does not depend on Android sales. The secret of its success lies in reducing the cost needed for every Internet-related transaction. As the low-cost provider of such transactions, it gains as volumes increase. By trailing in its monetization, Google improves its reputation at the expense of those whose costs are higher and who must thus stress profit earlier in the game.
Point is, the job of managing a mobile Linux system can't be done by anyone who isn't scaled as well as Google is. And that may be the worst news open source has heard in some time, because open source depends heavily on sharing costs and burdens, so that what begins as open source doesn't become quasi-proprietary.
Bottlenecks like this are the Achilles Heel of open source, unless they're addressed collectively. Google needs to explain this to all members of its ecosystem and make sure they contribute to these costs, unless those spongers want to turn it into Apple through their indifference.