Most likely load arbitrary binary code and execute it. Which also makes it really hard to figure out what it actually did.
Among the options of what could be pushed:
- proxyware, turning your network into a residential proxy that can then be sold to anyone willing to pay for them to commit crimes, send spam, scrape, ... with your IP [I believe this is the primary suspect here]
- other standard botnet crap like DDoS bots
- exploits that try to break out of the sandbox to establish persistence, steal other data, or steal your Google account token
- code that steals all data/tokens that the app itself has access to
- adware that shows ad notifications etc.
- ransomware that tries to prevent you from leaving the app (of course this works best if they get a sandbox escape first, but I'm sure you can get pretty close with just aggressive creative use of existing APIs)
Among the options of what could be pushed:
- proxyware, turning your network into a residential proxy that can then be sold to anyone willing to pay for them to commit crimes, send spam, scrape, ... with your IP [I believe this is the primary suspect here]
- other standard botnet crap like DDoS bots
- exploits that try to break out of the sandbox to establish persistence, steal other data, or steal your Google account token
- code that steals all data/tokens that the app itself has access to
- adware that shows ad notifications etc.
- ransomware that tries to prevent you from leaving the app (of course this works best if they get a sandbox escape first, but I'm sure you can get pretty close with just aggressive creative use of existing APIs)