Apps on their own may not be able to do something fishy but user must be careful giving permissions. For example, giving 'device admin' permission to malicious app may result in disaster.
Which, once again, proves android
isn't unsafe, but it's human decisions and interactions that can lead someone to getting hacked.