1) Avoid "free" apps. Remember, if you're not paying for the product you ARE the product.
2) Only download apps from reputable and established companies. They have the most to lose if they let malware get into their apps!
3) Don't give app permissions that don't need them. A calculator should NEVER need to know your location!
For me, I avoid "other app stores" and stick with Google's Play Store.
I've never gotten one piece of malware on any of my phones by following the 3 things above.
I'll say due dilligence in curating the apps is the no 1 issue besides a malicious manufacturer* due to everything being a binary blob communicating over encrypted these days. If an app get access to your keyboard and/or mic they can basically sniff out everything meaningful you do on the device.
(*...uninstallable apps. Or worse, pile on more with updates. The apps also tend to be a smashgrab with as many permissions as they can get their hands on. Each is an extra attack surface.)