It seems like they could get a better outcome by having levels of trust for unsanctioned apps. Like the default for side-loaded apps would be just as an app only. No background processing, notifications, loading services. To get the latter functionality you could make the user jump through a bunch of hoops with nasty warning messages or even just not allow it.
Note that if you enforce this for all side loaded apps are turning Android closer to the walled garden that is iOS.
There are already many legitimate apps distributed outside of Google Play for various reasons, such as weird Google policies or simply being booted out with no or spurious reason & the developer not being able to ever reach a human to fix this.
I wish apple would allow side loaded apps. I'm not saying eliminate side loaded apps all together. Merely, it seems like its a binary view. Either allow side loaded apps and make no attempt to design the installation process with security features, or deny un-approved applications entirely in the name of security.
I think Apple's desktop solution to unverified developers is a good way to split the difference. Deny by default but allow whitelisting. They go even further under the privacy tab and only allow certain applications permission to access accessibility features or full disk access, etc.
This actually seems broadly similar to the issue with "self-XSS" and the developer console in browsers (which is hidden behind a couple of menus). So far most of the mitigations involve the site printing messages into the console telling users to not paste in anything here unless they are a developer.
Maybe it's a good idea to hide the "Allow sideloaded apps" under the developer menu in Android or something, or generally to display a scarier message.
The end result of this is largely to discourage competition. The Google Play Store is not good at security, and the prohibition on sideloading is far less effective at preventing infection than it is at preventing app developers from avoiding Google's 30% app tax.
According to claims on Reddit, this malware can re-enable "Allow installing untrusted apps" checkbox after user unchecks it.
This and it's ability to survive factory reset may indicate, that xhelper can gain complete control over device (probably via improperly built firmware or unpatched root exploits). No amount of sandbox enhancements can stop this kind of priviledge escalation.
