It's not that Android is uniquely vulnerable to malware. It's not. In fact, Android, which is based on Linux, has not only the Linux operating system's higher than usual resistance to attack; it also has the advantage of running applications in a Java-like virtual machine (VM), Dalvik. What all that means is that malware should actually have a great deal of trouble running on any Android device, and even if it does get on one, it should be locked in the VM where it can't harm any other applications.
I'll tell you why: Because Google doesn't do an adequate job of checking programs registered for the Android Market for hostile intent and poisoned payloads before letting the public at them. When you download a malicious program, it's going to nasty things to you. It's that simple.
It seems like all a hacker needs to do is submit their attack program to Google for the Android Market and it gets approved. What's that all about? You, and not Google, get to do the security and beta testing. This is insane.
The only reason we have so much malware on Android is that Google doesn't do basic security checking. I'm not asking for much Google. Just run the applications on some test devices, see what they do, see if they grab resources and information they shouldn't be grabbing. This isn't rocket science. This is basic quality-assurance.
As it is, you need to report bad applications using the poorly named Report Inappropriate Apps page to Google. Even once bad applications are out in the wild, Google doesn't seem to do a good job of tracking them down.
My job includes checking out programs for mistakes. Your job probably doesn't. Your life certainly doesn't. Security 101 is Google's job, not ours.
When you download an application from Google, you should be reasonably certain that it will do what it says it will and that it won't try to damage your system or steal your credit-card number. Is that too much to ask for Google? I don't think so. I really don't.