Change them all immediately to really complex ones, and enable two factor authentication on everything you can!
This is just good general privacy maintenance anyway, but I'd also suggest getting a password manager to help. I prefer Last Pass.
The other stuff may not be a hacker. Android, by design, runs best with RAM mostly occupied. So the system will open apps in the background, keeping them at the ready for when you want to switch to them, even if you had closed them. If you happen to be running a memory cleaner app, like Clean Master, it will fight the OS by closing out apps, only to have them or others opened in their place to fill up the RAM.
For the location prompt, is this being tied to a specific app, or random requests? A screenshot of the notification would help. Also, it's pretty hard to get a virus or anything like that into an Android phone without you knowing. Not impossible, of course (I recently saw accounts of a cheap knockoff brand that had the ROM infected right from the factory), but difficult unless you're dealing with sketchy apps and sites.
If you have actually given anyone access to your passwords (or had weak ones that are easily guessed, like "12345"), then ok, you may have problems on your hand.