The description of "malicious" seems a little nebulous.
I have never heard of an Android application that breaks out of the sandbox. When people talk about "malicious" applications, these are apps that don't actually do what they promise to do, and because of an overly generous user (who okayed excessive permissions) they exploit trust.
This is similar to a web site saying "Hey, add me to your trust zone" (in Internet Explorer) "and I'll be extra awesome", and then exploiting that access.
Another poster mentioned that location has a special confirmation security grant, which is interesting to learn, however for other accesses there is no guarantee that the app is doing everything in your best interest.