That only verifies that the app stores are not directly adding a backdoor to the APK. An exploit could still be hiding in plain sight within the code, or more likely added by the OS through various mechanisms like a direct OS exploit making it easy to read application memory, or the OS injecting an exploit while starting the app.