If the phone has disabled downloading from unknown sources...how can you hack it?
Social engineer them into downloading it
For example what folks did with Pokemon Go: it was not available globally so gamers in the non-approved countries were looking for a copy of the APK online. When they downloaded it the APK in fact had malware of some form nested inside it. Probably cooked up with MSFvenom or Metasploit if I am correct in thinking.
People just had to get a copy of that game so created their own attack vector by downloading an app in a manner that would likely break from their usual behavior.
It probably wasn't MSFvenom because it would be easy to detect. It was probably manually written