Google also acknowledged that some of the tools it makes available to developers — including APK Analyzer — currently fail to parse such malicious applications and treat them as invalid, while still allowing them to be installed on user devices.
Hopefully the new IoT US Cybersecurity Trust Label takes these risks into consideration to inform consumers of increased risk, before buying or installing an IoT device and the software used to operate and administer the device.