Right, so - Malware generally wants to do something malicious, hence the naming. This could be encrypting your drive for a ransom, deleting important files, messing up your system in various ways, sending your private details to a server without your permission etc. Because malware generally does one or more of a set of somewhat well defined possibilities of malicious activities we at least have something to screen for. This could lead to false positives - for instance, looking at which programs encrypt your data could lead to a valid encryption tool being flagged as malware, but you'd likely know it's good since you asked for it yourself.
Thus, there are things that we can look for to detect malware. But if the software is really clever, it can do a lot to throw us off. For instance, if it's sending your private data to a server, it could send a few kb every few days or hours. This is such small amount and not really unrealistic of a process to do , so we might never notice.
Security generally is a very, very complex issue. We've got a lot of really clever people working hard on both sides of the war. In theory there could be malware on every single device in the world, hidden from sight and anybody's knowledge aside from the select few, who gather details on us all... Sorry, did I blow your secret NSA?
Anyways, the point is that it's theoretically possible, but security is a cat-and-mouse game, and it's super hard to hide for long because there are really smart people whose job it is to find you, discover your patterns and get rid of you.
The most primitive anti-malware method is just to screen for known malicious executable file names, but obviously you can hide from that just by changing your file name. There are then also those that save an MD5 hash of the executable content, but then you could use the same method as before but write it slightly differently and that detection method would fail too. And you could also screen for behaviour as mentioned earlier. Many options.
The short version is theoretically, yes, but I'd say it likely wouldn't take too long for the security teams to catch up. Though we certainly have seen long periods of uncaught malware in the past.