As far as I can tell, the iPhone has only been hit by malware when jailbreaking is involved. Maybe I'm missing it, but considering that minor infections in the Android market have made headlines, I imagine I would fine something for Apple too.
P.S. I'm hardly pro Apple, I have a Droid. I'm just saying that the probably do check for this sort of thing, because it's impossible in my mind for some one not to have tried to submit malware to the App store.
Apple has rejected some apps for uploading the users contacts to a third party server, using private APIs, etc. It seems like they do dig a little deeper. Who knows if that's enough to stop all malicious software but considering we've seen a number of malicious Android apps (fake Bank of America app, proof of concept botnet) it does seem like Apple's review process is providing some real benefits to go along with it's real disadvantages.
The description of "malicious" seems a little nebulous.
I have never heard of an Android application that breaks out of the sandbox. When people talk about "malicious" applications, these are apps that don't actually do what they promise to do, and because of an overly generous user (who okayed excessive permissions) they exploit trust.
This is similar to a web site saying "Hey, add me to your trust zone" (in Internet Explorer) "and I'll be extra awesome", and then exploiting that access.
Another poster mentioned that location has a special confirmation security grant, which is interesting to learn, however for other accesses there is no guarantee that the app is doing everything in your best interest.