One of the things that makes Linux distributions secure is that normally one installs programs from the distributions repository. All of the programs in this repository are verified and compiled by the distribution's maintainers and all packages are signed by the distribution. Android is not like this. The individual developers upload their binaries into Google Play. Google does not compile and verify the programs, they only check them for known malware. This is a weakness in Android. I wish Google had chosen GPL3 as the licence and required all programs in Google Play to conform to that licence. Then maybe there would be no Android malware to speak of, just as there is no significant GNU/Linux malware.