pavane -

A "guilty" app on your phone wouldn't need to be a paypal app. ANY app can put the malware in place and the malware can be capable of going through everything on the phone and snatching everything you do with the phone. Any password that is itself on the phone or used on any connection made with the phone could be vulnerable to the malware - but the malware itself could have been brought onboard by any ap you've installed or even by an app that you "just used once" to try out something (a cute game?) on a connected site. Malicious infections specific to phones have been reported in music downloads from "respectable" sites like iTunes, among others. At present, they don't seem to infect a lot of people, but "intense activity" in developing phone malware is being reported.

The actual incidence of phone malware is low enough that paranoia probably isn't justified at present ("... but John, paranoia is such fun!!!"); but being aware that phones now are sufficiently powerful to require the same sort of cautions as "real computers" is increasingly necessary, and indications are that "it's gonna get worse."

John