Putting a keylogger exploit into an app that you, as named identifiable rich people and a US company distribute through the app store, would be pretty crazy risk profile for the developer. All it takes is one person finding it.
Exploits should be used on targeted individuals where you can serve a trojaned app just to that individual, vs. something like the App Store where that would require either Apple's permission or some crazy proxy. (A carrier could probably do it with phones the carrier sells, though, particularly on Android, but even on Apple by pre-jailbreaking phones sold in sketchy areas like rebel-held Syria, if that were the goal)
Exploits should be used on targeted individuals where you can serve a trojaned app just to that individual, vs. something like the App Store where that would require either Apple's permission or some crazy proxy. (A carrier could probably do it with phones the carrier sells, though, particularly on Android, but even on Apple by pre-jailbreaking phones sold in sketchy areas like rebel-held Syria, if that were the goal)