The Google Play Store has numerous protections in place, but enterprising hackers will always find a way, as evidenced by a number of malware-infected apps that have recently been taken down, but not before at least one of them passed the 500,000 download milestone. The malware in question is known as Andr/HiddnAd-AJ, and it gets its name from the fact that it's well-hidden from both Google's Play Protect technology and unsuspecting users until it's too late. Some of the infected apps masqueraded as QR code scanners or compass apps, and could be observed exhibiting tame behavior for hours on end before suddenly unleashing wave after wave of all sorts of ads upon hapless devices.
The way it all works is by planting a graphics subset into the app's programming that looks like any old library you may find in an average Android app. To Play Protect, it looks as though the app plans to pull some visual assets from an outside server. What happens instead is that the app connects to a command server upon first being loaded up, and receives a set of instructions along with a unique Google ad ID. From there, it will wait as long as specified, then open up full-screen ads even when the app in question is not being used, and throw ad-laden notifications into your notification bar. After a while, it will connect to the command server again for new assets and instructions.
If you've been infected with one of these adwares, uninstalling the app should be enough. Sophos' security staff analyzed one infected app and did not see anything noteworthy to suggest that it makes any effort to stick around or spread itself. Rooted users may want to run a few extra checks before assuming all is well. The Sophos Mobile Security app and others like it can detect such malware, among others, for free. Google's Play Protect system is far from perfect, as is almost any security system, but users are advised to continue trusting it for now and to stay away from third-party app markets when possible, as most of them have little to no vetting process for new apps.