Questionmark Is it possible that a hacker injects maleware in a grapheneos device via fake update?
No, update signatures are verified and degradation avoided. GrapheneOS operating system and application versions are signed with keys that are not accessible to any of the servers. An attacker with access to one of the servers cannot release a malicious update or ship an older version as a downgrade.
Questionmark Is there a list of grapheneos system apps that are legit so i could spot potential malicious apps when i scroll through them?
All system applications on GrapheneOS are legit, it's not clear what you're asking here.