Bait-and-switch done wrong
Just a few weeks back, Kaspersky researchers discovered two apps in the Google Play Store—DroidCleaner and Superclean—that purport to restart all the running services on your phone, but get nasty when you connect your Android handset to your Windows PC as a disk drive (say, to transfer music or pictures).
If your PC has AutoRun enabled, code that the app hid deep in the root of your phone's SD Card executes and installs the malware. Once entrenched, the malware monitors your microphone. If it notices sound, it begins recording the audio, which it then encrypts and sends to the malware's master.
Devastating? Probably not. A novel twist on an old AutoRun vulnerability? Yes, indeed.