According to researchers, some malicious Android apps are downloading and installing despite users rejecting it.

Once it's on the system it displays ads which install even more malicious apps.

Installing something from outside the Play store is always going to be a risk, although the vast majority of apps are perfectly fine, users should always beware.

The hijacking happens after a user has installed a trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices. Malicious Android Apps Will Install, Despite User Rejecting It [arstechnica.com]