Newer versions of the Godless strain are made to only fetch the exploit and the payload from a remote command and control server after the installation of the app Trend Micro believes this is done so the malware can more easily bypass security checks performed by app stores, like Google Play.
The security researchers claim they found several apps in the Play Store that contain the malicious code and they also found a large number of clean apps on Google Play that have corresponding malicious versions in the wild that share the same developer certificate. Presumably, there's a risk that the clean apps from the Play Store will be upgraded to the malicious ones via an update outside of Google Play:
We found various apps in Google Play that contain this malicious code. The malicious apps we’ve seen that have this new remote routine range from utility apps like flashlights and Wi-Fi apps, to copies of popular games. For example, a malicious flashlight app in Google Play called “Summer Flashlight” contained the malicious Godless code.Full details at TrendMicro.
We have also seen a large amount of clean apps on Google Play that has corresponding malicious versions—they share the same developer certificate—in the wild. The versions on Google Play do not have the malicious code. Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps’ new malicious behavior. Note that updating apps outside of Google Play is a violation of the store’s terms and conditions.