I am not surprised as the apps ask for all kinds of permissions and some don't even need them.
What I find interesting is the iOS hack. Since its a flaw in Webkit, I wonder if this flaw could be used on Safari and Chrome since both browsers use Webkit. If so that means that even on PC or Mac it's not safe.
I also find interesting the fact that Google is offering money to hackers (as prizes) to discover Chrome vulnerabilities. It's a smart tactic and pays off in the long run. If the other "hacked manufacturers" would do the same the Internet would be a much safer place.
My SGS4 had the GE version of the OS, which had been on 4.3 for a long time and will get the 4.4 by the end of the year. No Samsung bloat on it. Of course, it would be nice to see which specific apps were vulnerable, because there is a way to disable these on a phone, even a non-rooted phone.
I always read the permissions required when installing apps, and if something sounds fishy I never allow it to proceed. I've been using Android since the glorious days of Cupcake and never had any malware on any of my phones (TBH, I have never seen personally an infected Android phone, despite the apocalyptic previsions of this or that "expert").
All "crapware" should have the ability to be uninstalled and re-downloaded if desired. Or since unlocked phones are allowed, their should be an option to get a phone crapware free from your provider before you have it in your hands. aka make it optional when you sign up.
And this is why I flash a stock Android rom onto my phone and read permissions when I install apps.
Really, there's too much bloatware/ crapware crammed onto our phones that doesn't need to be there.
Flashing clean improves security, performance and battery life.