malware – Which indicators can I have that an Android has been compromised?

My father said that he had allowed the installation of applications from unknown sources when he was asked to do so to go further with something (he said that I do not remember when or what he did).

In Android 8.0 (the version of his smartphone), we can allow a third-party installation in individual applications. So I went to this tab and found that only Google Chrome was capable of this type of installation. So, I navegate via my father's apps and find nothing suspicious.

When I went to the files, I found a folder called Have I got. Inside, a file without extension called psnger_encrypted or something like that. When I went to select the file to see the details, I accidentally clicked on the file. Android has said that no application to open this file has been found.

Could a file have been executed even when Android was saying this message? If this file is malicious, is it possible that the phone was run and infected?

In doing some research, I found that a Chinese app called "DiDi" also had a file called "psnger". In addition, I found a file in my father's phone called .omega.key, and this file is also included in the topics related to the DiDi application. The fact is that I can not find this application on the phone, and I'm looking for ways to indicate that the phone has malicious content. I have run AVG and Malwarebytes, but both have not detected anything. What can I do else?