Android malware isn't rare or harder to come by at all. Every so often even Google has to remove a whole lot of apps from the store due to malware and these are apps that went live and were downloaded. Some of this being even more intense malware than on desktop, as people rarely store contacts or SMS on a desktop (Joker malware for example). You've negated your entire point.
The vast majority of "malware" on phones isn't software that exploits security bugs in the system software. Instead it's software that effectively asks the user nicely to give up their information, using mechanisms provided by the system software to do just that. This isn't something you can trivially prevent, as some software really does need access to your location, contacts, SMS, etc.
The response to true malware on Android isn't looking for and removing APKs from compromised devices after the fact, it's patching the vulnerabilities in system APIs.
At the windows malware peak, your system could be infected merely by having an internet connection. How many android worms are there? None that I can think of.
Heck, windows PCs were regularly infected by browsing the wrong website. Or getting served a malicious advertisement. Can you honestly say that people are getting infected on Android regularly by surfing the internet?
The vast majority of android malware relies on social engineering to get the end user to grant a malicious app permissions to be malicious. That's hardly a failing of the OS. It's also nowhere near as bad as "I'm online and now risk being infected".
> Heck, windows PCs were regularly infected by browsing the wrong website. Or getting served a malicious advertisement. Can you honestly say that people are getting infected on Android regularly by surfing the internet?
I have used Windows for nearly 2 decades and I can't tell you the last time my system was infected. I do agree that browsers are the largest vector of attack but that also means browser vendors share some of the largest responsibility for creating secure systems.
Two decades ago was near the end of that Windows-malware peak. And really, if you were behind a NAT two decades ago, that would have stopped nearly all of it, so you might not have noticed how bad it was unless you were supporting a lot of Windows machines in varied environments.
There was a span of a few years when a Windows box connected directly to the Internet, using a public address, would reliably get pwned before long, even with nobody using it. But that was quite a while ago, and, again, just being behind a NATing router mostly solved the problem (assuming nothing infected ever connected to your local network).
