Apks are signed. There's no explicit public way to check ownership of a key, but comparing the public keys to those on the same app retreieved from the play store works.
If there’s no way to check ownership any properly resigned malicious apk would still not be distinguished from a real version.
According to the comments below currently the only way to notice a malicious but signed app would be updating an existing version from the play store. That requires access to the play store and installing an app from there first.
Allowing random 3rd parties to publish high profile apps stolen from the Play store seems a very bad idea. Especially if the OS doesn’t check apk signature against that same play store.
According to the comments below currently the only way to notice a malicious but signed app would be updating an existing version from the play store. That requires access to the play store and installing an app from there first.
Allowing random 3rd parties to publish high profile apps stolen from the Play store seems a very bad idea. Especially if the OS doesn’t check apk signature against that same play store.