If this can happen, is it possible that once mandatory developer verification comes into effect, all 3rd party apps will be uninstalled at first and require a re-install?
Concerning this specific case, NFCGate is a tool on which malware (family) titled NGate by ESET is based, thus likely causing a false positive.
Oh, and no bypass is available anymore (aside from disabling play protect):
Play protect will remove things that google doesn’t like, not malware.
Working at a phone retail place, I have never seen malware not from the Play store. There is fuckloads of malware on the Play store. Most of it faking Google’s own apps which you’d think they would care about, but they don’t. All of that walks straight through play protect and in some cases on Samsung phones will abuse their security features to not let you remove it easily.
Fake apps that replace your home screen, display ads every 5 seconds, and close any app that you’re in are rampant on the Play store and play protect will do nothing about it.
It has the largest user base to target.
If it was normal to just search the web for all the apps you wanted, and you installed from from prompts on vendor websites, then all of the malware would come from that instead.
Google and Apple claim their stores address the issue. But it’s almost impossible to pay enough people to deeply review every single app and app update.
It would be easy to pay for it, but shareholders don’t like that
I searched for “Messages” on the play store, and the top link was malware. WTAF?