For secure operating systems "remote code execution" is a serious bug, for Android it is a feature.
In the paper Execute This! (PDF) researchers of UC Sante Barabara (US) and University Bonn (Germany) analyzed the security implications of the ability to load additional code for execution from an external source by Android apps.
32.5% out of 1,632 randomly selected apps in the Google Play store were loading code from extern servers after installation.
The code loaded from an extern server at runtime is not checked by the Bouncer of Google Play store and is not checked by any tested anti-virus app. An attacker may place a funny game in the Play store and load the malicious code at runtime from an own server.
More than 30.000 apps installed by more the ten millions of user load remote code in an insecure way. An attacker may use simple injection attacks to modify the download. It is not required to use an exploit to hack the smartphone.