I wish there was better understanding of this.
Android is a Linux OS, with a Linux kernel under the hood. Linux doesn't have viruses. Viruses are a problem specific to Windows, where they can patch into the OS. On Linux, they bounce off.
I don't run A/V on my Android tablet. For that matter, I dual boot Windows and Linux on the desktop. There is n A/V package for Linux, but I don't run it. The folks I know who do don't run it to protect themselves. They run it to make sure they don't inadvertently pass something along to contacts who run Windows that they won't see as a threat because it won't bite them. I don't run A/V on my old netbook dual booting Ubuntu and WinXP, and while I have Windows Defender on Win10 on the desktop, I have it turned off.
What can bite on Android is malware, which is a different class of threat.
Viruses and malware are infections, and infections have vectors through which they infect the host body. Ward the vector, and block the infection.
The main vector for viruses is email. I use Gmail as my primary email account. I read and reply to mail in my browser. My mail all resides on Google's servers, and Gmail implements viewers for all common attachment types, so I can view them without actually downloading them. I don't need a local copy of mail, so it works fine. And Gmail has the best spam filtering I've seen, and the sort of mail that might be infected with something nasty will be flagged as spam and not appear in my inbox.
I don't run A/V because I've warded the vector where viruses might come from.
The vector for malware is the browser. Most malware assumes you are running Windows, and use Internet Explorer as your browser. I run Firefox, with the NoScript add-on that blocks scripting on sites not in a whitelist, and uBlock Origin, a generalized, list-based blocker for ads and other things.
I have the Malware Bytes malware scanner under Windows, run it occasionally, and it never finds anything. I warded the vector.
I only download from known-good sources that scan on their end, and most of what I download is open source in addition.
I don't bother with A/V or anti-malware under Android because I practice "safe hex". I know what it is, what it does, and where it comes from before I install it, and I'm fussy about what I do install.
Most A/V and anti-malware solutions make the assumption "The users are idiots, and must be protected from their own ignorance." Security and safety online come from knowledge, and people need to acquire it. You can't rely on third-party software to protect you. You need to know what you're doing and do the right things.
>Dennis