It's not "luck", there just aren't any viruses that can attack Android.
Having to
see it before you believe it is not a competent or diligent approach to security. Malware is designed to exploit unknown vulnerabilites not previously exploited. When you allow the attacker to be the first to demonstrate a malware propagation method, you've lost.
This is why in the information security industry we act on
theory. If an attack is theoretically possible, only a fool waits until the attack is executed before they prepare for it. You may have never seen an attack at the perimeter of your network, but that's no excuse for not having a firewall and intrusion detection system. Homeowners install locks and alarm systems on homes never before broken into (and even in neighborhoods without incident) because they don't need to be broken into in order to realize there is a risk. This street wisdom tends to get lost when laypeople approach information security.
Malware is another story,
Certainly not. A virus
is malware. Denying one malware propagation technique or another is damaging if it causes you to neglect incident response and recovery. If you're not able to recover from an incident because you could not foresee a particular method of propagation (a virus), you've made a poor judgement regardless of whether the damage is caused by a virus, a trojan, or your own misguided action.
there are malware apps, but as long as you ONLY get your apps from the Market, and stay away from brand new apps that only have a few downloads, or are from a new (unheard of) developer, you will be fine.
This is like telling a motorcyclist if they drive carefully, there's no need for a helmet. You can reduce risk but you cannot eliminate it. Smoking pot will lower your sperm count, but only a fool would then conclude that they don't need a condom after substantial smoking.
BTW, I do not intend to be a careful user. Just as I would never buy a GSX-R1000 and then always stay below the speed limit, I'm not about to procure a highly capable device and then use it minimally. I'm the type to drive fast (wearing a helmet and armor while doing so) -- and likewise if I am going to play with potentially risky apps, I'm certainly going to be prepared for disaster.
But even if I were as cautious with installations as you are, I still would not use that to rationalize not having backups.
And always check the app's permissions before you install it. For example, if you are trying to download an alarm clock, and it needs access to your Contacts, that's a red flag. But again, luckily Google is very good at taking these malware apps off the Market before too many people get them.
Google is most likely not inspecting every line of code that makes it into Google Market. They will weed out the obvious malware and act on reports, but I would not strictly count on them to ensure bug-free apps (assuming you believe bug-free apps exist at all; personally I don't believe it's possible to write a bug-free app more complex than "hello world"). Even if Google were to inspect every line, bugs go unnoticed. I see bugs get past code reviews on a regular basis.
And unlike a Linux desktop, an Android phone can ONLY be affected by malware if YOU install the malware app itself.
Absolute pure nonsense. Every android phone executes code and has writable persistent storage, and interfaces with a network. Installing a malicious app is only one way infect an Android phone. A legitimate app with a bug that malware can exploit would also be a means to infect an Android phone. It doesn't even have to be through an app. A basic service working for the kernel could have a bug that an attacker finds before a developer.