The behavior described most closely matches Agent Smith, an Android malware family known for replacing or hijacking legitimate applications and monetizing that access through ad fraud and data abuse. The strongest clues are the installation from a third-party marketplace, the silent replacement of already installed apps, and the use of those altered applications to push excessive advertisements while collecting information. In CEH mobile platform discussions, third-party app ecosystems are repeatedly identified as high-risk distribution paths for malicious or trojanized software because the apps may avoid the stricter vetting associated with official marketplaces. Pegasus is generally associated with advanced spyware capabilities and covert surveillance, not ad-fraud-driven replacement of popular apps. GoldPickaxe is tied to more targeted mobile credential and identity theft campaigns, while Mamo is not the fitting malware profile here. This question is testing recognition of a well-known Android malware pattern: malicious code embedded in an apparently useful application that later abuses the trust and visibility of legitimate apps already on the phone. CEH mobile security principles stress that unofficial app sources significantly increase the risk of this kind of compromise.