Security researchers have developed an application for Android phones that listens to phone calls, and records any credit card numbers or PINs that are spoken or entered on the keypad.
The Android platform does require the user to explicitly allow the application to have access to Phone features at install time, but this is more of a social engineering issue than anything else. Disguising this as another app in a trojan horse scenario would be trivial.