Now combine that with the users Google credentials and any other accounts assigned to their smartphone along with imei, location data, IP address, phone contact list, photos, musical taste, installed applications (like banking apps) etc etc that can be gleaned by a dodgy Android app and the developer has unlimited possibilities.
Facebook's Graph and unscrupulous advertising SDK's embedded in apps have created the largest single attack vector ever.
The fake virus warnings or other annoying persistent ads that pop up on Android devices are (almost) impossible to trace because they originate from unsuspecting users devices as they share content on Facebook that has been modified by the SDK's within apps on the sending users device without their knowledge.
An Android user that views a shared Facebook link or video sent by a user that has a dodgy app installed will be redirected to a full screen fake virus warning while their phone vibrates and usually links to a.dodgy "antivirus" app on the Google Play store to remove the non-existent "viruses" thus continuing the spread of modified Facebook links if the victim installs the dodgy "antivirus" app.
In order for this to work the person receiving the modified Facebook page or link must also meet certain criteria as far as what apps are installed on their device.
Most of the offending advertising SDK's I have documented that do this are from foreign countries such as China.