I do not fully agree with you. Checking reviews does not mean anything. To find out that the application can be compromised only after a long time, when it starts to act actively.
If you installed it relying on reviews, you will fall into the trap with all other users. Ideally, you need to install open source applications, or at least refrain from installing for several months if the application is new and little known.
That's correct, if the discussion was on the reviews from Play Store. Also most apps have a good number of reviews made/bought by the dev, which are obviously good no matter what and when the app is young, they can fool you.
If the discussion is about reviews from blogs and specialized websites, the risk should be smaller, especially if the review exists on multiple sites and some of them are well known. At that point the app may be mature enough too.
I can only say that that phone is got this infection after owner is downloaded some sport-related app from Google Play, but I am not sure is phone rooted or not. What I can say that it was a phone without any protection and no updates from Google in the last 2 years.
[...]
What I found on the page from Symantec is that this malware is possible targeting Jio 4G network users in India, who already have a free app that protects them from xHelper.
OK, this is somewhat more reassuring (for me), thanks.