I work in security and experiment specifically on mobile security.
The real concern here isn't around an actual "virus" stealing data from one specific app. Viruses aren't nearly as common today as they used to be - antiviruses have evolved to play a lot of different roles as viruses have faded more and more into the background while other threats have taken the main stage. Malware has largely taken over, but isn't likely to attempt to steal data from other apps. While a sandbox escape is certainly possible (See VMware's technology and the fact that they thought they were impenetrable) most malware for mobile devices can steal data from within the confines of the app itself. Remember when you downloaded an app and it said it needed permission to access location data, network connection, etc.? Why on earth does a bicycle maintenance app need access to my location data and need permission to run in the background? The answer is usually poor / lazy coding, but these excessive permissions can allow a compromised application to gather all kinds of data by running in the background, intercepting keystrokes, and transmitting them. That's purely theoretical at the moment as WP8 is such a small percentage of the market that it really doesn't make a very enticing target. Also, like ImmortalWarrior said, Microsoft does a pretty good job of monitoring what goes on the Windows Phone Store (Remember all the issues with Android about 1-2 years ago?) SSL certs are still a big problem across mobile platforms in general, but the one that made news last year involving persistent connections to Exchange servers and allowed remote wipe capabilities to attackers didn't actually affect Windows Phone. Pretty ironic given that it only affected connections to Microsoft Exchange servers...
I would love to see something along the lines of a LookOut client for WP8, but more than anything, I want to see Microsoft enable something along the lines of what you can do with Android for Wifi connections. I want to be able to tie my wireless state to a specific cell tower. AKA, when I'm at home, my phone is connected to 2 or 3 specific wireless towers. It recognizes these as my home location and turns Wifi on. When I am at work, it does the same. However, if I'm in Kentucky, it doesn't recognize the wireless towers in that area, and so it keeps Wifi turned off. This saves battery power and also eliminates one of the largest attack vectors for mobile devices, wifi spoofing and data slurping via man in the middle attacks. If that sounded like French to you, do a quick Google search for Man in the Middle attack over Wifi. I do a lot of presentations around this one and have been able to use it to determine who owns a given phone, where they work, what their social security number is, what their banking / credit card information is, etc. This is BY FAR your biggest risk when it comes to wireless devices at the moment. The solution? Turn off Wireless (Wifi, Bluetooth, NFC) whenever you are not at home / work and using them. That doesn't mean disconnect them - it means go into your settings and turn them off entirely. It's not a perfect solution, but it makes you a less enticing target.