So it looks like allowing users to easily sideload apps, let alone direct download and install binaries from mobile web, is problematic. Their stats on third-party app stores seems more scanty.

> In 2018, hostile downloaders made up 22.0% of all sideloaded PHAs, making this the third most prevalent category, as in 2017. While this category accounted for 0.39% of all sideloaded apps in 2017, it is down to 0.20% in 2018, a sharp decline. Last year, Trojans were particularly targeting devices in India, Indonesia, Russia, Brazil, and Mexico.

> The prevalence of hostile downloaders is due to a combination of legitimate third-party stores with poor security setups that distribute PHAs, fake stores that are built specifically for spreading PHAs, pre-installed apps that slipped through the security scans of OEMs, and plain apps that pretend to (or actually do) offer user-wanted features while downloading PHAs in the background.