Does the following situation create a security threat?
Image a situation.
android:permission="com.google.android.c2dm.permission.SEND" permission (this permission is held by GooglePlay services) and install this app on the device.Is it possible for a malicious software to exploit this developer mistake?
It's not very likely that this would cause a problem. There's minimal issue with this because:
This permission is defined by Google for GCM (which has been replaced by FCM.) It is used to ensure that only senders who hold this permission can send that Intent to the registered receivers. It's a small amount of security in the grand scheme of things, though.
Even if a different app / service defined this same permission to fake it on a device where GMS is not present, the normal payload of the Intent is likely going to have some type of extra data in it so Google's receiver (what is specified in your manifest) can verify its content before doing anything with it.
Starting with Android 4.4.3, checks were added to the system so that system bundled apps/services (e.g. GMS) permission definitions take precedence over 3rd party apps. This prevents 3rd party apps from re-defining permissions in an attempt to back-door a system app permission. Not exactly the same situation you describe, but still important.