[chickenbane]

Although the Android ecosystem is probably the biggest OS deployment on devices right now, Google has done a pretty impressive job maintaining its overall safety. The primary mechanism they use is what they call GMS (Google Mobile Services), built on top of AOSP.

GMS includes the Google Play Store, which they reported this year had 2B monthly active users. The most notable AOSP derivatives that do not run GMS are Amazon's Fire OS and whatever Chinese companies are doing. Whenever you see somebody trying to implement "Android without Google", they are (misguidedly) replacing GMS.

Anyway, GMS on the device auto-updates and works with cloud services to detect and act on malware the user may have installed. This year Google branded this "Google Play Protect". Because GMS doesn't require firmware, kernel, or platform updates to work, Google is able to police the ecosystem effectively.

Also, because all apps are signed by the developer and Google controls the Play Store, its also able to work with developer community to mitigate libraries / sdks that are harmful. The overall end result is harmful apps are only on 0.05% of devices that only install apps from the Play Store (the most common scenario, and the default).