Where is it located and is it stored in plain text or encrypted? If it is not encrypted is there a way how to secure it from malware that can steal it from the phones storage?
Is it safe to store cookies like in a browser when I access my REST API backend through HttpURLConnection class?
The default implementation of HttpURLConnection stores cookies in memory. When the VM exits (ie: the OS process hosting the application is killed), the cookie storage is gone.
On a rooted device it would be theoretically possible for a rogue application to spy on your application's memory, or just intercept the HTTP communication to view the cookies. On a non-rooted device this is not possible.
You can provide your own cookie manager instead of using the default implementation. You can then store the cookies wherever and however you want.
See https://developer.android.com/reference/java/net/HttpURLConnection#sessions-with-cookies
for more information.