Thanks for sharing OP. It's worrisome that about 50k users have downloaded the malicious app.
The app wasn't malicious when it built and grew its user base.
The infection pathway is not so new. Publish an app of popular demand that's actually working well to gain a user base quickly. Later publish an update to the app that has some download dropper malicious code that passed app store detection. This dropper code then downloads the main malicious code which does the main nasty malware things (the article speaks about, it installs a separate malicious app on the target's Android mobile phone; I have questions to this).
I have a few points to highlight where possibly mobile phone users are a bit reckless and should question their opsec while using their phones for banking, crypto coin stuff and other important stuff.
You're reckless (less politely: stupid) if you install a file viewer app from a developer with name "Hybrid Cars Simulator, Drift & Racing" as shown by OP and taken from linked article. Well, this is an obviously suspicious name case. A less suspicious developer name compared to the app's purpose wouldn't ring alarm bells, sure.
The malicious actors who are well funded often buy existing developer accounts because those accounts likely have less trouble to publish new apps or updates to existing apps which in some cases are renamed to something that suits the malicious actor better for a new malware campaign. This is in most cases cheaper than to develop an own new developer account. But obviously they can't buy large successful dev accounts.
Don't install apps that look fancy or are just trending because they're free. Do you really need a new app on your device where you basically can't really trust the developer. Be caucious if a developer publishes new apps in completely different app genres compared to its past app publishing history. App reviews don't help too much because most of them could be fake and bought.
Normally an app can't install another app without special permission that needs to be granted. Normal Android will ask you if you really want to allow this and/or that you need to change some permissions to allow an app to install other apps (e.g. F-Droid app store need such special permissions).
An Android mobile phone user shouldn't grant permissions that (s)he doesn't understand why they're necessary. Especially when the permissions don't seem appropriate to an app's primary purpose. Yes, I know, this is not easy to answer and distinguish.
The malicious dropper code could of course exploit some bugs in Android. But such bugs are precious, especially when they're so-called
zero-days (yet unknown/non-published new exploits). Malware that uses zero-days, publishes those new attack vectors to the malware research community when they're caught in-the-wild.
As temporary final remark: do you really think it's wise to use your daily driver mobile phone, with all the app shit users commonly install on such daily use devices, for mobile banking, mobile crypto wallets, anything else of considerable value?
If you really need and want to do mobile banking and mobile crypto wallet or trading stuff, I would highly recommend to use a separate mobile device where you de-install anything that's not required for mobile banking and crypto wallets. Don't use this separate mobile for daily stuff, only for those narrowed special use cases.
Personally, I don't do banking stuff on my mobile phone, I do this from my Linux desktop. My mobile phone wallets only have pocket money amounts, rarely more than, say equiv. to 100-300 dollars worth of value.
