Isn't this a huge loophole? Couldn't a scammer just make many variants of their malware?

If there were a reliable way of identifying people making multiple accounts, it wouldn't be anonymous now would it? This not a loophole but inherent to an anonymous system

The trouble is, the accounts aren't meant to be anonymous. Pseudonymous at best, depending also on the country (a lot of places require government ID before you can assign a phone number, or have a central government querying system for mapping IP addresses and timestamp to the name and address of the subscriber that used it at the time). It's not like they let you create infinite Google accounts without supplying an infinite amount of fresh phone numbers or IP addresses. You also agree to the general Google privacy policy, which allows them to do anything for any purpose last I checked (a few years ago) unless you're a business customer (but then you've got a payment method in use, and they don't accept cash in the mail), such as fingerprinting as part of reCaptcha