The initial APK is clean—it plays a game, shows a flashlight, or a PDF reader. It passes GPP with 100% safety. However, the app contains an encrypted .dex file hidden in assets or downloaded from a remote server. After installation, the app decrypts and loads the malicious code via DexClassLoader .