threatpost[.]com/abandoned-mobile-cc-servers-present-opportunity-to-attackers/121122/
What they talk about makes sense to me... Android & iOS app developers make money by selling their games & apps, &/or by in app/game purchases, &/or by serving ads. When they serve ads, that app/game phones home to find out what ads to show, & downloads that content. When a developer abandons one of these apps, they can also abandon the address for the server that used to host those ads. When that happens it goes up for sale.
Now if a criminal buys that domain name/address, they can tell any app or game that phones home to that server to download whatever they want it to download. No worries about getting a malware-laden app into the Play store -- no worries about getting the required permissions to cause mayhem etc.