The installation packages of Android apps (.APK files) are deploy with.ZIP files. Because of the fundemental design concept. It let malware has way for infection. Yes, threat actor can place a malicious DEX file at the start of the APK file. But V2 signing mechanism can avoid above types of infection. However of the compatiblity issue, older Android versions with only version 1 of the signing scheme application still alive. We known that risk may occurs in such circumstances. The fact is that Enterprise MDM solutions may not detect these apps.

Reference: https://developer.android.com/about/versions/nougat/android-7.0#apk_signature_v2