Android Trojan Mimics PC Drive-by Malware Attack | PCWorld
.........Discovered by security company Lookout Mobile Security
on a number of webistes, the decidedly odd "NotCompatible" Trojan
is distributed using a web page containing a hidden iFrame......
.........This isn't quite a PC drive-by attack because the user still needs to install the app, at which point it relies on the user having ticked the "Unknown Sources" box (in most cases this box would be unticked) that allows non-market apps to be installed.............The NoScript browser addon will protect you in the same way on your Android smartphone as it does on your PC.
From NoScript site:
# IFRAMEs embedded in untrusted pages are always blocked, unless they load content from the same site as their parent
# IFRAMEs embedded in trusted pages are blocked if they try to load content from untrusted sites
# If NoScript Options|Embeddings|Apply these restrictions to trusted sites too is checked, no IFRAME can be loaded unless it loads content from the same site as its parent
* You may ask, what if site I really trust gets compromised? Will I get infected as well because I've got it in my whitelist, ...?
No, you won't, most probably. When a respectable site gets compromised, 99.9% of the times malicious scripts are still hosted on a different domain which is likely not in your whitelist, and gets just included by the pages you trust. Since NoScript blocks 3rd party scripts which have not been explicitly whitelisted themselves, you're still safe, with the additional benefit of an early warning