This is one of the major differences between Apple's App Store rules and Google's Play Store rules. Apple has traditionally not allowed third party apps to download and execute code.
Apple doesn't trust you to write your own JavaScript engine, for instance. You have to use Apple's.
On the Play Store side, the ability to download executable code has proven to be an issue, as you mention.
> Known as Joker, this family of malicious apps has been attacking Android users since late 2016 and more recently has become one of the most common Android threats.
One of the keys to Joker’s success is its roundabout way of attack. The apps are knockoffs of legitimate apps and, when downloaded from Play or a different market, contain no malicious code other than a “dropper.” After a delay of hours or even days, the dropper, which is heavily obfuscated and contains just a few lines of code, downloads a malicious component and drops it into the app.
Just don't allow extensions that do that. An automated search for eval(), remote imports and script tags would probably catch most of these and if someone manages to hide it from the auditors, since source code needs to be available, a security researcher would find and report it eventually.
