Quick Links
It's commonly suggested that Android has a "virus problem." But, while there are viruses and malware on Android, it's not really something you need to be concerned about---as long as you pay attention to what you're doing.
Android is Inherently Secure
Android itself is a pretty secure operating system---a statement that has only gotten truer over the last few years. Right out of the box, all mainstream Android phones feature a locked bootloader to prevent access to the system partition. Optional "sideloading" of non-approved apps is also disabled by default.
Those two (unlocked bootloaders and sideloading apps) are by far the most common ways that people get malware on their Android devices, and both are blocked by default. The fact of the matter is that most of Android's malware issues are only there because certain default security features have been disabled. Alas, that's one of the primary things that sets Android apart from the competition. You're free to do more of what you want with your handset, even if that means weakened security.
That said, Google has even made sideloading more secure with Android Oreo. Instead of this feature being a blanket setting that simply allows or disallows apps being installed from outside of the Play Store, it now works on an app-by-app basis. That means you can allow apps to be installed from something like the Amazon Appstore, but nothing else. It's a smart way to handle this setting.
Put simply: if you never plan on unlocking the bootloader (which isn't even possible on many phones) or sideloading apps, you're as protected as you can be by the system alone.
The rest, however, does take a little due diligence on your part.
Google Play Protect Scans Apps, but It's Not Perfect
Google has a system in place that scans all apps in the Play Store (and on your phone). It's named Google Play Protect. Think of it as always-on, always-scanning malware protection for your phone.
But like any malware scanner, it isn't perfect. Things do slip through the cracks, and sometimes these malicious applications have been downloaded tens of thousands of times before they're discovered. That's the type of thing that leaves the impression that Android is an insecure, malware-infested operating system when covered by the media.
And while it does happen, this is also an unfair depiction of Android as a whole. We've talked about how to avoid malware on Android before, but one key point is worth reiterating: pay attention. That's really all there is to it. Make sure the developer is legitimate, read the description, look at the screenshots, and check the comments.
All in all, these are things that should be done before installing an app anyway (and not just on Android), and it really doesn't take that long to do. The odds are the app you're planning on installing is legitimate and you have nothing to worry about, but taking a few minutes to read over the details before installing will be the difference between getting the app you're looking for and installing a malicious piece of software.
And No, You Don't Need an Antivirus App Installed
Many, many antivirus companies have capitalized on Android's "virus problem" by releasing malware scanning apps for the platform. Don't get me wrong---it's cool that these are an option! But they're not really going to find anything that Google doesn't already know about and has protection against with Play Protect.
Of course, most antivirus apps on Android do other things, too---like block spammy phone calls, protect your phone from theft, and more. Those are added benefits, but also they're also features Android now has built in.
To put it plainly, you can use an antivirus app if it makes you feel better, but all you're really doing is allowing some third-party app to use up resources doing what your phone already does on its own. It doesn't make a lot of sense.
If you just pay a little bit of attention to what you're installing from Google Play, you'll be fine. That's really all there is to it.