currently the best we got is grapheneos on a pixel device.
but it's still problematic. on normal computers you can spoof mac and be done with it. on mobile devices you have to worry about imei and spoofing it is illegal in some territories.
there's also librem 5 built on top of linux kernel. but we are yet to see how it will hold up in the real world.https://puri.sm/products/librem-5/
mobile security is better than what it was, but we are not 100% there yet imo.
As Alice said above, GrapheneOS is your best bet for Android. Has a few hardening patches, avoids calling home as much as possible (captive portal and updates to GrapheneOS repo remaining iirc), and often gets updates faster than AOSP since AOSP pushes updates in waves delaying as long as a month. GrapheneOS usually updates within six hours of an AOSP update.
Use a VoIP service for calls you do not wish to tie to your number. Linphone and maybe VoIP.ms SMS to go with it.
Tor Browser for normal browsing, Bromite as backup, Vanadium if you need to do normal person stuff.
If you're a cheap bastard Riseup VPN is decent enough, otherwise OpenVPN. Do not allow connections without VPN.
Avoid using Bluetooth.
Choose one - use only Cellular, or only WiFi with WiFi calling enabled and always on Airplane Mode. Cons cellular only - susceptible to IMSI catchers, cellular tower tracking, carrier tracking. Cons WiFi only - connection point history, weak driver security, router MitM.
Separate your use-cases in profiles.
Install as few apps as possible.
Crowdstrike has a report on mobile security which is interesting but not your threat model.>https://www.crowdstrike.com/blog/mobile-threat-report-2019-trends-and-recommendations/
Number one distribution mechanism for mobile malware is placing trojaned apps in google app store. Warnings about 3rd party app stores based on how easy it modify an APK are included. F-droid with open source apps might help mitogate risk of trojanized APK but depends on how big a detterent having source available is.
You're best off using burners and not bothering trying to make typical devices safe. Telecom infrastructure is too locked down and surveilled for a device to circumvent much on its own, the cell towers can still get you even if you disable all the internet related tracking.
The botnet isn't on the OS or the ARM part, it's in the radio chipset, you cannot remove it without remove 2G/3G/4G.