Application such as Facebook require more than your password and username if you look closely. During installation. you give facebook application or any other application read access to - Location, Contacts, Messages, Calls, etc. Facebook being a Trusted Application doesn't shared this with any other third party, but Malware and virus are not. There is a possible case of even a trusted application to have it's data leaked but in rare cases. A piece on Independent.co.uk talks on Android apps sharing user information, prior to the findings using a custom built software called DIALDroid.
Stories of Big brands spying on users to pull relevant information either for marketing purposes or anything else is no longer news. Google once admitted to spying on android user location even when their phone is off.
Recently, i discovered that you cannot have your Location turned off and remain in peace while using Android version 6.0 and latest.You are likely to experience incessant interrupting pop-up to turn on location that you have to neglect if you want your location off.
Whenever you have a case of your personal information leaked due to a malware attack, you actually permitted the leak. Taking a perusing look at the permission you grant to each app can help curb information leak. If you feel permitting apps to peep into your contact or messages is not right, you can disable permission by following these steps.
Go to settings - Apps - Tap on any application - Disable any permission that won't interfere with the smooth function of the app. This works for Android phones.