Malware is a problem for Android, but that problem almost exclusively exists outside the confines of the safety of the Play Store. Like any platform where the sharing of pirated, cracked software occurs, if you're downloading something you didn't rightly pay for, there's a risk it might be carrying a little something "extra" you hadn't counted on being included. For the most part, this is how Android malware spreads - but what do malware distributors do once they've got a device infected?
Well, they might buy something like Dendroid, an almost hilariously well-marketed mass device management tool you can find on some of the dark corners of the web. Dendroid can be used to "manipulate, locate, and spy on an Android device." It has exciting features, like intercepting and blocking SMS messages, taking or transferring photos off a device, exploring browser history, launching DoS attacks, getting user account and contact information, sending texts, recording calls, and more! All this for just $300, lifetime support and updates included. Bitcoin accepted.
I really do have to give these guys points for their marketing and graphics chops - Dendroid looks like the premier enthusiast-level malware control panel. There are a few screenshots of the tool in action, and it does indeed look quite powerful:
Dendroid is what's known as a RAT (remote access tool), which you can learn more about in relation to Android at this Symantec blog post. Symantec actually outlined Dendroid specifically in a post on its blog today. A bit scary, I suppose, though if you get your software from the Play Store, you're probably not in any danger - Google's app verification system and the Play Store Bouncer make it pretty difficult for any malware-spiked apps to stay on the Play Store long enough to do any damage.
Either way, you've got to admire the salesmanship of Dendroid - they sure make extremely illegal acts look well-polished.