Malware can only be installed as a ‘System Update’ app via third-party Android app stores as it was never available on Google’s Play Store. Remote access trojan (RAT) can collect and exfiltrate an extensive array of information to its command-and-control server. Once in control, hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more. The spyware harvests data directly if it has root access or will use Accessibility Services to trick victims into enabling the feature on the compromised device.
Source: https://www.bleepingcomputer.com/news/security/new-android-malware-spies-on-you-while-posing-as-a-system-update/