The appstore prior to 8.12.0.0 exposes some of its components, and the attacker can cause remote download and install apps through carefully constructed parameters.
vivo appstore