It's just spammy apps. There are very few apps that actively exploit open bugs to elevate their rights, and then mostly to facilitate jailbreaking :)
The problem of course is the screwed up rights system. Instead of presenting a big list of permissions for every app on install, how about you just ask me directly if the app is about to send a text to some number not in my contact list?
Between exploits and spam, there is also the possibility of phishing. I have heard of fake Yahoo Mail apps making the rounds but couldn't find them - maybe that was outside of the Play Market (it was in Asia, where Yahoo is big).
All device permissions should be opt-in from a checklist on first launch, and there should be an option to make your device pretend to opt-in but use fake data. "Can such-and-such app use your location?" "Sure, I am in the middle of the Pacific."
The problem of course is the screwed up rights system. Instead of presenting a big list of permissions for every app on install, how about you just ask me directly if the app is about to send a text to some number not in my contact list?