The ways malware gets onto your device are called attack vectors. These range from untrusted apps downloaded from the Google Play store onto your mobile, to someone simply stealing your phone. But the most likely way malicious code will be used on your device is through ‘social engineering’. In other words, tricking you.
For every popular mainstream application, for example, there will be another app with a slightly different name, created in the hope of fooling users who are not discerning enough in their Play store searches. Not all of these are malicious, but do be sure to avoid them anyway. (The main benefit of Apple’s closed-door policy is that the iOS App Store is largely free of these duplicates.)