When I've taken the time to actually drill into the reports of "Android malware" (twice now, on two different blog/news-site postings), it turned out that very few of the reported apps were in fact malware, in the sense that they were exploiting a vulnerability in Android (whether Dalvik or kernel). In fact, what's being reported as "malware" are simply applications that, if a user installs them and gives them rights to their personal info, do bad things with that info. The user had to grant the app rights to that info, even if there was no apparent reason the app should need those rights.

This is a far cry from the viruses and trojans that most people, reading these articles, are envisioning as what's being talked about.

I think the distinction is important, and that IT journalists have an ethical responsibility to be clear on this issue. Otherwise, they're implicitly feeding into a FUD cycle.