The private key is created and stored on the phone only and never transmitted via any network, except in the case of an encrypted (!) wallet backup.
Android has app-private storage, so it offers a lot more protection against malicious apps/viruses than any Desktop OS does.
Generally if you don't trust what the app or your device does, consider auditing the source code. I took great care to not only open source the app, but also depend only on libraries and APIs that are open source themselves. Code audits are much appreciated!
I think a dedicated device running plain Android AOSP without any other apps can make a great and secure wallet. You can even partly run it offline, because it's possible to sign transactions and transmit them to another node just via QR code.
Thanks Andreas, you are very helpful.