Forget the software, the firmware running on the baseband processor can read system memory and send it over the network without you knowing. But that takes lots of effort to target a specific person.
So what do you do? It comes back to making sure that 'they' can only hack some of the people all the time, and all of the people some of the time. It's preventing them hacking all the people all the time I worry about.
I don't think we have good solutions for the problem of malicious updates in general.
The only one I can think of is a trusted hypervisor that hashes memory in the guest and reports on it. And even then, how do we trust that?