They can't. If "no phishing" is a desired property, then it would be up to the distribution ecosystem to either carefully monitor for such products and deny them, or to at least allow some mechanisms for users to verify products themselves (such as SSL combined with URL bars do for general web traffic).
How do banks ensure nobody makes a phishing version of their apps?