Many cracked installers attach themselves to your Xposed Framework or Magisk modules. Even if you delete the installer app, the malware remains in the system root, surviving factory resets.
Hackers take the original APK (downloaded legally via Google Play), decompile it (turn it back into readable code), locate the license verification library (LVL) or the billing service, and patch it. They then recompile the app with a new signature. Installer Cracked Google Play Download
The irony of downloading a "security-bypassing" tool is that the user must dismantle their own device’s security to use it. Many cracked installers attach themselves to your Xposed