For those of you that want to play along at home....
For those of you that have a subscription to Virus Total's malware database I have uploaded several of the apps and modules that were installed on the phones without the users knowledge:
com.concreteroom.thenorthpole-1.apk
26333a6d48deddd3305c07b5ee00bb6e
com.democratizing.casualness-1.apk
82ecf170914d360992e230e0929fc0b8
com.spidmes.peaus-1.apk
fde7346273d4561b306828615412899d
com.tesla.eo.xsdfa.apk
3332c30b6e4823135c984c57e11512ef
com.bird.aa01.apk
3f9cb3284cfb560ea59f6a4d895ee0a5
SystemFota.apk
94f0226b794040cc3e3952614a569c61
Gallery2.apk
e7a6854e7bdd61207100bde3a9cc3f73
Plays_com.android.eo.plays.apks
432feebad71938963100e4571be0a6ed
Some interesting facts:
The Gallery app has encrypted modules hidden in the Assets folder as fake True Type fonts ("samsun.ttf" and "small.ttf")
The com.tesla.eo.xsdfa.apk hides it's icon from the user's screen to avoid deletion by novice users and is designed to look like the "Clean Master" found on the Google Play Store and actually shares some of Clena Master's SDK's.
This app also has several encrypted libs and modules in the Assets folder.
All the apps use the factory installed Calendar app to avoid detection by waiting to decrypt any modules until after the user has had the phone for a while.
Some of the apps didn't appear until after 4 weeks of use.
The apps also look to see if the phone has been rooted by checking for common rooting signatures such as: ("com.koushikdutta.superuser", "com.thirdparty.superuser", "com.yellowes.su", "com.topjohnwu.magisk") and also executing the "su" command in the background.
The apps also detect if they are on an emulator by checking how many processor cores are in use by running "cat /proc/cpuinfo" but is hidden from the system by using base64 encoding.