Many APKs on such sites use a technique called smali patching . A benign app like Spotify is modified to include a malicious smali class that triggers a phishing overlay (a fake login screen for Instagram or PayPal) once a week.
