It spread through Google Play, in addition to other third-party app stores:
In a blog post written by the McAfee Mobile Research Team blog post, they said it identified about 25 different malicious apps that contain the threat, 13 of which were distributed on Google Play, some since mid-2020.
Some of the apps affected by Xamalicious malware include Essential Horoscope for Android (100,000 installs), 3D Skin Editor for PE Minecraft (100,000 installs), Logo Maker Pro (100,000 installs), Auto Click Repeater (10,000 installs), Count Easy Calorie Calculator (10,000 installs), Dots: One Line Connector (10,000 installs), and Sound Volume Extender (5,000 installs), amongst others.
Strange they haven’t identified who was responsible yet, I mean to get this code into your app surely the first lead would be the developer right?
Link to the source blog entry. It has more information on how the malware went undetected and how it worked.
The key takeaway: never give an app accessibility permissions when it asks unless you are specifically installing an accessibility app. It could never have done anything without that permission.
The McAfee article (found elsewhere in these comments) said the bad apps obtained accessibility permissions through “social engineering” which probably means it simply asked for them after telling you to ignore the serious warnings Android gives you when an app asks for them.