I am using the implementation 'android.arch.lifecycle:extensions:1.1.1' in my project.
When I build the release or debug apk and open AndroidManifest.xml from within the apk,
I see this line.
<provider android:authorities="com.myapp.crashlyticsinitprovider" android:exported="false" android:initOrder="90" android:name="com.crashlytics.android.CrashlyticsInitProvider"/>
<provider android:authorities="com.myapp.testapp.lifecycle-trojan" android:exported="false" android:multiprocess="true" android:name="android.arch.lifecycle.ProcessLifecycleOwnerInitializer"/>
Should I be worried?
I also see this in the build->intermediates->instant_app_manifest_debug->AndroidManifest.xml
Should I be worried?
No you shouldn't. It's used by the ProcessLifecycleOwner, and it is not a malware.
Further proofs
As you can see from the aosp-mirror, the file get merged from here, and after few months from the release they have changed the file to this version.
Solution
Migrating to androidx should solve it. Now they have renamed the name from lifecycle-trojan to lifecycle-process.
You can find more information here