If there is an Android based audio head that has the same functionality as CarPlay, it almost definitely will not be vulnerable to this type of malware (although I'm sure malware can be injected somehow):
1: The functionality to add apps will be a lot more restricted than a phone the typical and app store. I doubt that there will be the option for sideloading, much less ADB access. Slam this door shut, and this effectively gets rid of malware. Reducing the install points of all software and being an active, brutal guardian is one of the reasons iOS has had a good reputation for security over time.
2: Android can be made pretty secure, especially with SELinux set to enforcing in Android 4.4 as opposed to permissive. Even if something gets root, the OS is still pretty well locked down.
3: Most device makers have solid ways to turn filesystems read-only, even to root, so even if malware got its way unfettered by SELinux, it might be able to hose a partition or two, but couldn't attach somewhere so it could be started on the next device reboot. Again, not 100%, but an effective measure.
4: Android's existing app permission model will be good enough for a car audio head, since in general, one wouldn't be adding apps to it, apps would be on the smartphone or tablet.
iOS integration is nice, but it means only three phones (the iPhone 5, the iPhone 5c, and iPhone 5s) will work with CarPlay. That isn't that many devices, and I'm sure the people running Android will be demanding a decent audio/map experience as well.
I would guess carmakers will solve this by including CarPlay and an Android based analog that provides similar functionality.