If folk uncheck that trusted sources and install one bad app, it's game over.
http://www.techrepublic.com/blog/diy-it-guy/diy-how-to-install-android-apps-from-locations-other-than-the-market/
It's a rather done discussion about security, third party apps, permissions that apps shouldn't need but yes it can happen.
One checkbox and one bad app = blown security.
Bob
Hey guys,
New to the community- having some issues.
About 3 weeks ago I got messages from friends saying that they are getting emails from me with weird links in the body.
It obviously wasn't me...
I then went onto my Macbook pro and signed into google to find that my account was being used by three other devices in Chicago.
2 laptops and 1 samsung phone.
I have now changed my passwords 3-4 times, deleted chrome (what they used to sign in with) AND enabled extra security...
I don't think I can post the screenshot I took of the "recently logged in" page, but I'm not seeing the computers anymore but the damn phone (in chicago) signed in literally a half hour AFTER I changed my password earlier this afternoon.
Please help!
Thank you.

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic