Android is wormable, and potentially not repairable by google.
For example, with a decent remote android exploit, I could distribute a patched Google Play Services to all vulnerable handsets which disables updates and then listens to my own command and control infrastructure for further actions.
I can now hold the phones hostage and extort google for money to regain control of them.
That would be pretty brutal and cause people to quit trusting android phones.
But I think the same could be accomplished with the access he had, or worse, but would have taken a lot more work. He also would have needed to avoid detection too. His access sounds more troubling than the Aroura attacks they had years ago.
For example, with a decent remote android exploit, I could distribute a patched Google Play Services to all vulnerable handsets which disables updates and then listens to my own command and control infrastructure for further actions.
I can now hold the phones hostage and extort google for money to regain control of them.