For those of you that want to play along at home....
For those of you that have a subscription to Virus Total's malware database I have uploaded several of the apps and modules that were installed on the phones without the users knowledge:
Some interesting facts:
The Gallery app has encrypted modules hidden in the Assets folder as fake True Type fonts ("samsun.ttf" and "small.ttf")
The com.tesla.eo.xsdfa.apk hides it's icon from the user's screen to avoid deletion by novice users and is designed to look like the "Clean Master" found on the Google Play Store and actually shares some of Clena Master's SDK's.
This app also has several encrypted libs and modules in the Assets folder.
All the apps use the factory installed Calendar app to avoid detection by waiting to decrypt any modules until after the user has had the phone for a while.
Some of the apps didn't appear until after 4 weeks of use.
The apps also look to see if the phone has been rooted by checking for common rooting signatures such as: ("com.koushikdutta.superuser", "com.thirdparty.superuser", "com.yellowes.su", "com.topjohnwu.magisk") and also executing the "su" command in the background.
The apps also detect if they are on an emulator by checking how many processor cores are in use by running "cat /proc/cpuinfo" but is hidden from the system by using base64 encoding.