In an article published on wired.com, they say that security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link, or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination of the manufacturer that made it, and the carrier that sold it to you.
Although the article refers to US carriers, it is likely that it applies to most carriers.
Security researchers have found 145 Android apps infected with Windows malware, suggesting they were created on compromised Windows machines. The issue does not directly affect the Android device as the malware is for Windows. Article Source ITNEWS: Android Apps Infected
A newly discovered strain of Android malware makes live recordings of ambient audio around an infected device. The RedDrop nasty also harvests and uploads files, photos, contacts, application data, config files and Wi-Fi information from infected kit. Both Dropbox and Google Drive are being used as temporary storage by the attackers. Source: TheRegister