yeah it's fucking stupid fucking stupid fucking stupid
FUCKING STUPID TO THE EXTREME!
that the included APK is hidden inside the png is totally TOTALLY irrelevant. it could be ANY kind of file that it is in. heck, just "thisisthemaliciousapkinrot8.apk" would do it.
also, does it somehow silently install the malicious apk? on phones where untrusted sources is unchecked? that would be the interesting bit, so I guess no. it would be the main bit of their program, not the irrelevant png wooooo encryption nonsense shit. they could just download the malicious apk too. or open a browser to go the malicious apps url and hope that the user installs it.
I mean fuck, there's dozens of ways to hide malicious code that even gets run in android without this. do the authors even understand how impossible it is for the automatic scans to check for every custom "malicious" code there is? it just checks for pre configured signatures on files ffs. their new malicious code would have gotten through just as included class files, nevermind as included .so files,nevermind as included linux executables(old way to do native parts without ndk).
now, let's get back to talking about host files.