Another reminder to verify checksum or repository integrity before installing or running any executable. The report is saying that they substituted - likely with the ISP collusion to achieve MitM - trojan-ized versions of popular apps from download sites. Chillingly, they target privacy oriented apps including Threema and Truecrypt.
This is related, and also a reminder that you can never blindly trust apps, even when downloaded from a trusted source. Scary stuff: https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/