I've been a software engineer for a while, but I don't solve this using a technical approach. I've avoided having apps abuse me by choosing apps written by folks that have no incentive to abuse me. This means going to open source and community-driven apps as much as possible. Of course there will always be proprietary apps and in those cases I need to look at the entity that wrote the app and how much I trust it in terms of their development practices and incentives.

I've used Android for more than 15 years and have never had an issue with malware or viruses or anything of the sort. 90% of this is refusing to install apps that I don't absolutely need. And the rest of it is probably using open source and community apps instead of corporate apps whenever possible.

Unfortunately, the approach of "de-commercializing your phone" is not something that Apple will ever support or allow because it doesn't make them any money. Luckily on Android, I have access to FDroid, which makes this entire approach possible.

> It doesn’t need to sell ongoing location tracking information associated with my device identifier and IP addresses to marketing companies.

fortunately, GDPR covers that already. Or CPPA if you reside in California.

But that's not quite what by Malicious. Malice implies intent for bad desires. A company selling your weather tracking data with dubious consent is simply greedy. It very likely wouldn't be in your top 10 list of perpetrators if your phone was hacked, wiped, or stolen.