I have no ideea about any malware, but the bluetooth was offline just like the wireless most of the time (you know the battery problem on older android smartphones). I don't know, I really don't... But as I said this would be something that people would pay heavy money on the black market. A phone that can intercept messages or download any message list from a phone within a close range.
Another ideea. My Windows Phone right now have a function inside it, it's called Find my phone, and this function can track your phone even if it's offline or turned off (tested). In my case the phone have a sealed in battery so you can't remove that, and when in shut-down state it can still activate GPS, A-GPS and GSM to determine it's location and send it to Microsoft. This way you can buy/make a gift a phone like this and track that person.
How can I use my phone to track someone? First of all you set up a blank Microsoft account that you're gonna claim, and give away your phone to the person you want to track. That person is going to log in with a secondary Microsoft account or if the phone is working as is it's not going to log on with anything else except maybe Facebook, Twitter or Google. Then log in on your Windows 8 PC with that account and everything will sync with your pc: SMS, CALL LIST, PEOPLE, AND PHONE LOCATION. Ok, and that's with the Winodws, now if we could extend this concept to other phones like Android, Symbian, Blackberry, Maemo, MeeGo and why not Jolla, think of the money that will be paid by jealous husbands to watch their wives and vice-versa and why not, parents tracking their kids. How? Microsoft don't need any connectivity from the phone (meaning as I said that the phone can be in airplane mode - full offline) and still get the location. A method like this we should use not to be network dependent, and think about this, who doesn't have a Facebook account? Meaning that that phone may go at least once a day online to check Facebook or Twitter or RSS or anything. While phone is online, a package should wait a secure upload, and trust me, how many SMS and call logs you should have to exceed 50-100kb? When you go online that package gets uploaded and decrypted on the account of the specific user.
How legal? This I don't know, but this of this. You hire a private-eye and that's legal? Why this shouldn't be? We are going to monitor that person for a specified time and give you a confidential report about that person after you agree a contract and you agree that your purpose is strictly personal and the data you receive will only be used in court or other legal authorities (like a divorce trial, or suing a bar because your underage son came drunk at home and he visited that bar as your watch log say). So I say this can even be legal in some way?