So the conclusion is, we should assume that the device is infected already so installing a wallet on it doesn't make any sense.
I prefer to just not put too much in it.
To state the fact, I have been using Electrum on my Android for years and haven't fall for any tricks yet, just using QR scanner for every TX, double check the chars, and keep the playprotect ON.
I haven't had security problems with different wallets on mobile either. At one point I even had much more value in Forkcoins than I was comfortable with in one of them (with consent from the owner of the coins). But for my own piece of mind, I feel much better when there's just "pizza money" in there. If I lose it, I can afford to lose it.
