how much do we trust antimalware vendors? more or less than app vendors?
The permissions system certainly has a lot of problems, lack of granularity and lack of post install control being the biggest.
All security is about trust, Android has some poor options when developers are asking for permissions and bugger all control for users in permitting them. Devs can't always ask for just the trust they need and users can't choose exactly how much to give. Usually the users can't even guess what they should be accepting anyway. It surprises me I've been asking just a couple of times to justify the permissions in my app, after 100k+ downloads, despite requiring permission to dial out and the certainty they aren't reading the explanation on the Play page.
But those problems also make it very easy for anti malware sellers to exaggerate the stats. I have little confidence they went through 3.7m apps and correctly decided whether permissions were appropriate for all of them, even less confidence they resisted labelling trustworthy apps that *could be* abused as malicious.
That said, many of the ad platforms do appear to be potentially insecure and abusable outside app dev control, which would severely inflate the figures and more attention should be brought to that problem.