Is it actually malware? It depends on your perspective, I suppose. Most flavors (for lack of a better word) of Android serve as a vehicle to collect data on its users. I consider this a form of malware (since the definition is "software that is designed to disrupt, damage, or _gain unauthorized access_ to a computer system").
While AOSP is less so, since it is open source after all, it is still often used to create versions of Android that spy on its users.
But I digress.
In practice, most Android devices are woefully outdated and cannot be upgraded to a current version - they are susceptible to being compromised, or may already be compromised.