Also Chrome partially does not have this issue if you protect your phone with pin, password, pattern or fingerprint. If you go to chrome where you will see it, you can not know the password without using your device access code to access it. But one thing I disliked about the password manager is that it is online.
If it is malware, I don't think the phone password will stop it from being stolen by the hackers. The phones password will only keep it safe from outsiders. But malware once in your mobile phone might be able to access any unsecured data. I don't know much about how it does it but that's what I think will happen. Chrome will always ask if it should store your data or use it to auto login. So it is the users fault if his data is stolen.
They are much better than storing your passwords in your browser's password manager.
How do I know if my phone has a malware inside? Is there a way of noticing it?