Google regularly scans its market for apps containing malicious code. Only using apps from the play store and looking at their permissions and determining if they are just is about all the average user needs to do.
When using the web browser, don't go randomly clicking on links on shady websites.
Just common sense things will keep you safe.
Anything that gets by those basic steps isn't going to be caught by an antivirus app anyway because its too new of an attack to detect