Here's my take on this -- for the sake of this discussion, I'll just refer to all malware and malicous apps and code as "viruses", even though there can be differences between them.
A/V programs, at least the decent ones, are pretty good at doing one thing: informing you when you have a virus. What they are not good at? Actually removing the virus and the damage it may have caused your system. Keep in mind I'm not referring just to Android phones here, but all computer devices. Now, I'm not saying that there is no value in detection, there is -- but way too often folks get an unrealistic sense of security by using A/V programs, and that's the big lesson to learn here.
I work in IT for a living, and as such, my friends and family will often call upon me when their computer is acting up (lucky me!). It's amazing how often I'll tell someone their computer is infected, only to hear them say, "but I don't understand...it has anti-virus!!! How could this happen?!?". Exactly. Not only is most A/V software pretty useless at removal and repair of infected computers, but they're also dependent on sets of "definitions" used to scan files against...and of course, the "bad guys" writing the code are always one step ahead of the game, so there's not even a guarantee that A/V software will detect newer threats.
Bottom line? There's no excuse for not practicing safe habits; nor is there a better way to keep your system free of malware. A/V software companies had a boom around the turn of this century around the time that most folks were just getting at-home high-speed internet, and Windows and IE still had enough security holes to drive a Mack truck through. Back then you could get a virus by just looking at your computer funny -- but most of today's OS's (yes, especially including MS Windows) actually have enough security measures in place that most of the time an infection requires user intervention to make it happen. In other words, most likely, if you got a virus, it was because of something you downloaded and/or installed, and not because some "hacker" somewhere found a way to get into your system to do bad things.
So sure, run an A/V software if you want. I choose not to, mainly because I prefer to not dedicate the extra resources to running it, and I know that if I should get an "infection" of some kind, I'm just gonna wipe my computer/device and start over anyway (which is almost always less tedious than trying to remove the bug).
Besides running A/V, these are much better tips for avoiding infection:
1. Don't download apps from untrusted sources. For Android, this means staying primarily within the Play Store.
2. Even if from the Play Store, I'd go a step further and make sure the developer can be trusted.
3. Check permissions requested vs. what the app claims to do.
4. Just be smart. You know what kind of stuff you shouldn't be messing with, so stay away from it. Probably 95%+ of all malware is attached to:
- "adult" material...especially anything free ... duh.
- pirated music/movie/media downloads ... double duh.
- "Click here to claim your prize!" ... more like "click here to infect your computer!" ... again, you already know better.
Follow steps 1 through 3 and stay away from all items in step 4, and I promise that the likelyhood you'll ever actually need your antivirus software is slim-to-none. Using firewalls and safe networking practice can play a big role as well.