The malware I am talking about exploits no security holes on the client machines what so ever. I am talking about the sort that you go to a website, a popup is shown that pretends to be a Windows dialog doing a virus scan. It then says that you have X viruses and prompts you to download and exe. The victim clicks on "yes please download and run the exe". The victim the says "yes please run it with admin perms" to the Windows dialog designed to protect them.

Those are the annoying ones. The ones that don't break in. The ones that to you and I are instantly recognisable as a scam. The ones that to a normal human being appear to be just as valid as the Windows update dialog.

Without disallowing the user from ever downloading and running an exe from the web, I don't see any way round it for the sorts of users who are taken in by it. The same users would end up downloading and running the Trojan whichever desktop os they were on.

That is why I think restricted systems like iOS are the future for normal users. Androids approach of telling you what perms the app wants does nothing to help these users.