Got some sources to cite, or is this the typical apple fanboyism of "android bad"?
I've used android for years, never ran into any malware. I've also developed for android and ios. Writing malware is largely impossible due to the functional permission system, at least it's much, much harder than the other operating systems. Apple just pretends it's immune to malware because of the manual reviews and static analysis performed by the store. It's also why they're terrified of letting people ship their own interpreters like javascript engines.
One might argue that Android is targeted more than iPhone because of its larger userbase which certainly may contribute to it, but then MacOS which has a fraction of the userbase is more targeted than iOS - that makes the case that sideloading or lax app store reviews really are at least partly to blame.
Given much of the malware seems to be apps that trick users into granting permissions by masquerading as a legitimate app or pirated software, it's not really too hard to believe that Apple's app store with their draconian review process and no sideloading might be a more difficult target.
Obviously a strict walled garden keeps out bad actors. The question is: Is it worth it? I say no.
People deserve to be trusted with the responsibility of making a choice. We are allowing everyone to buy power tools that can cause severe injuries when mishandled. No one blinks an eye. Just like we allow that to happen, we should allow people to use their devices in the way that they desire. If this means some malware can exist then I consider this to be acceptable.
In the meantime system security can always be improved still.
I've used android for years, never ran into any malware. I've also developed for android and ios. Writing malware is largely impossible due to the functional permission system, at least it's much, much harder than the other operating systems. Apple just pretends it's immune to malware because of the manual reviews and static analysis performed by the store. It's also why they're terrified of letting people ship their own interpreters like javascript engines.