A different approach than the SolarWinds breach to deploying malware within legitimate software: purchase a legitimate app on, for instance, the Google Play store, infect it with malware, and then issue an update to its millions of users.
By the time the attack is discovered, the damage is all done.
See more here: Owner of app that hijacked millions of devices with one update exposes buy-to-infect scam | ZDNet.
Social engineering attacks become more imaginative every day!
