On March 1, news broke that dozens of malicious applications had made their way to Android Market, each infected with a rootkit that could grant hackers deep access to Android devices that installed them. Google removed the malicious applications from Android Market within a few minutes of being notified, but has otherwise remained silent on the situation. Until now (at 10PM on a Saturday…)

Google has now confirmed that 58 malicious applications were uploaded to Android Market, and that they were downloaded onto around 260,000 devices before Google removed the apps Tuesday evening. That number sounds alarmingly high, but Google believes that only device-specific information, namely the phone’s IMEI number, was compromised — and that no personal data or account information was ever transferred. Given that these apps were getting root access, this could have been a lot worse. Now the cleanup begins.

Beginning tonight, Google is going to invoke a special ‘remote kill’ function that allows it to remove these malicious applications from any affected Android devices with no action required from the user. Google will also be issuing a fully automated Android Market security update to infected devices that should remove the rootkit (again, no user action will be required). All affected users will be receiving email notifications about the situation as well.

Unfortunately, while Google can remotely fix affected devices, it can’t automatically patch the security hole that made the exploit possible in the first place. That’s because the hole exists on the system level, so it requires a system upgrade to resolve — and it’s up to the carriers and hardware manufacturers to deploy the fix. Google is issuing a patch and informing its partners that it is urgent, but who knows how long it will take the carriers to push it to users.

As if to underscore this problem, Google says that the exploit was actually already fixed in recent versions of Android, and that it only affects version 2.2.1 and lower. Unfortunately the vast majority of Android devices are still running older versions of the OS because of the aforementioned sluggish carrier updates.

Beyond these software updates, Google says that it’s taking steps to try to prevent similar malicious apps from making it onto Android Market. But it’s being vague on the details:

We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.

The whole situation is pretty alarming for Android users (and I’m sure the email alerts Google will be issuing are going to spur even more user angst). Google wins some points for removing the affected applications within minutes of being informed of their malicious intent. But the fact that it is unable to distribute system security updates is unnerving — Google can downplay Android’s fragmentation issue all it wants, but when user security is at stake, we shouldn’t have to rely on the carriers.

And it’s also obviously alarming that the applications were accepted onto Android Market in the first place. Google doesn’t screen applications manually (even Apple doesn’t actually have a reviewer look through every application’s code) but hopefully it can institute some automated tools to better screen malicious apps. Because if malware continues to creep into Market, users may become wary of downloading apps from developers they haven’t heard of, which would hurt the whole ecosystem.

Here’s the email that is being sent to affected Android users: