Malware in Mobile Devices
Malware means software designed to function in ways that mistreat or harm the user. (This does not include accidental errors.)
Malware and nonfree software are two different issues. The difference between free software and nonfree software is in whether the users have control of the program or vice versa. It's not directly a question of what the program does when it runs. However, in practice nonfree software is often malware, because the developer's awareness that the users would be powerless to fix any malicious functionalities tempts the developer to impose some.
Here are examples of malware in mobile devices. See also the the Apple malware page for malicious functionalities specific to the Apple iThings.
Mobile Back Doors
Most mobile phones have a universal back door, which has been used to turn them malicious.
Samsung Galaxy devices running proprietary Android versions come with a back door that provides remote access to the data stored on the device.
Samsung's back door provides access to any file on the system.
In Android, Google has a back door to remotely delete apps. (It is in a program called GTalkService).
Google can also forcibly and remotely install apps through GTalkService (which seems, since that article, to have been merged into Google Play). This adds up to a universal back door.
Although Google's exercise of this power has not been malicious so far, the point is that nobody should have such power, which could also be used maliciously. You might well decide to let a security service remotely deactivate programs that it considers malicious. But there is no excuse for allowing it to delete the programs, and you should have the right to decide who (if anyone) to trust in this way.
The NSA can tap data in smart phones, including iPhones, Android, and BlackBerry. While there is not much detail here, it seems that this does not operate via the universal back door that we know nearly all portable phones have. It may involve exploiting various bugs. There are lots of bugs in the phones' radio software.
Many proprietary apps for mobile devices report which other apps the user has installed. Twitter is doing this in a way that at least is visible and optional. Not as bad as what the others do.
Portable phones with GPS will send their GPS location on remote command and users cannot stop them: http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers. (The US says it will eventually require all new portable phones to have GPS.)
Spyware in Cisco TNP IP phones: http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html.
Spyware in Android phones (and Windows? laptops): The Wall Street Journal (in an article blocked from us by a paywall) reports that the FBI can remotely activate the GPS and microphone in Android phones and laptops. (I suspect this means Windows laptops.) Here is more info.
Some Motorola phones modify Android to send personal data to Motorola.
Some manufacturers add a hidden general surveillance package such as Carrier IQ.
Widely used proprietary QR-code scanner apps snoop on the user. This is in addition to the snooping done by the phone company, and perhaps by the OS in the phone.
Don't be distracted by the question of whether the app developers get users to say “I agree”. That is no excuse for malware.
Some Android phones are tyrants (though someone found a way to crack the restriction). Fortunately, most Android devices are not tyrants.