Re: A bit light on details
Your post is full of inaccuracies. Android, since Marshmallow, allows individual permissions to be set for apps. For apps created to the Marshmallow API, it doesn't even need you to grant all permissions to install it. As the permission is first used you choose to allow or deny it and you can revoke it at any time (or from any non-Marshmallow apps). This renders 90% of your post moot.
"...that sniffs the on-screen keyboard" There is also isn't an on screen keyboard. Anybody can create a keyboard, either as a system install one or directly in their app interface. Nobody wants a default Android keyboard that you can't change - look at the poor IOS one that they used to have. You can't run a keylogger on a system keyboard though unless rooted, but you can overwrite it or get the user to install one of the malware authors choosing and then do anything you want with the input - however this is by design and it does rely on the user not installing a system keyboard they don't trust.