Let's say you just connected to a network you don't know it's owner, and you started downloading an app, since the router is a bridge of the received packets, the owner can modify( change them) and inject through them his own code, is what I'm saying right?
See it is not possible to inject arbitary code in an APK since APK's integrity is ensured ( App Signing ) through signing.
However if you intend to download an APK outside the play store then on any network you can get redirected ( DNS cache poisoning ) to a fake replica and you can be fooled to download an infected APK .
Hence it is not recommended to download apps outside the play store and if they have to be downlaod then we need to insure that we are downloading it from the correct web site ( making sure that it is a secure site and has a valid certificate )