It's entirely possible there are weaknesses in Android that allow people to gain access. That's why Microsoft release regular patches to cover weaknesses found in Windows and other MS products, and why groups responsible for other OSs likewise release patches and service packs.
Just because something is Open Source does not mean it is inherently susceptible to hackers. In fact quite the opposite - because you have more people looking at the source code, problems tend to be identified and fixed far more quickly than for proprietory systems where you have a limited development team who have to identify how hackers have compromised systems, and then develop the patches. More than half the world's web servers run on Linux/Unix/BSD/similar systems, most of which are open source, yet the internet still works
As for detecting it. whilst they might not give the "spy app" an icon or make it obvious, there is no way to truly hide something. It's going to use CPU cycles, RAM and bandwidth, and sooner or later it's going to have to declare itself to Android in order to negotiate the use of the wifi, bluetooth or 3G functions.
I just cleared a couple of bits of malware off a (Windows) computer. The creators did quite a good job - there was nothing unusual visible in the processes window. However, the fact that RAM and CPU usage were off the chart and the hard drive was in overdrive (whilst nothing was supposedly running) was a bit of a giveaway however that something was running in the background.
Cleared them out with Malwarebytes.
Nothing is safe, but Open Source does not mean open season for hackers. Be sensible in what you access and install (as with
all computers and
all operating systems) and you'll be fine.