Good catch after looking into it more this may be related to subcontractors providing vendors with malicious update tools that they then sign.

https://maldroid.github.io/docs/vb_2022.pdf