Three different APK file sizes for the same version/build app?

I'm getting three different APK file sizes for supposedly the [same version/build app](https://play.google.com/store/apps/details?id=com.starfinanz.mobile.android.dkbpushtan) : - [Version 1](https://apps.evozi.com/apk-downloader/?id=com.starfinanz.mobile.android.dkbpushtan) from Evozi: 22.485.694 bytes - [Version 2](https://apkpure.com/dkb-tan2go/com.starfinanz.mobile.android.dkbpushtan) from Apkpure: 22.766.408 bytes - [Version 3](https://tan2go.de.aptoide.com/app) from Aptoide: 18.641.648 bytes **Why?** Which file is the original one and which two are fakes? Could you please confirm that the Evozi downloader is trying to "slip" you a APK version (here: 2.7.2) different from the Google Play store link that you provided (here: 2.7.3) or that both Apkpure and Aptoide are claiming publishing *more recent* publishing dates (here: 08-09-2021 and 14-09-2021) than the original (06-09-2021)? Why is this happening? **UPDATE 1:** As per request, I've extracted all APKs. The results are even more concerning: - Version 1 from Evozi: 957 Files, 51 Folders, 24.757.075 bytes - Version 2 from Apkpure: 819 Files, 21 Folders, 25.118.159 bytes - Version 3 from Aptoide: 4319 Files, 101 Folders, 31.704.315 bytes *...4319 files?!* **UPDATE 2:** As suggested, I used apksigner to take a look at the certificates inside the APKs: Version 1 from Evozi: 957 Files, 51 Folders, 24.757.075 bytes C:\Users\...\Desktop>java -jar apksigner.jar verify --verbose --print-certs com.starfinanz.mobile.android.dkbpushtan_30044_apps.evozi.com.apk Verifies Verified using v1 scheme (JAR signing): true Verified using v2 scheme (APK Signature Scheme v2): true Verified using v3 scheme (APK Signature Scheme v3): false Verified using v4 scheme (APK Signature Scheme v4): false Verified for SourceStamp: false Number of signers: 1 Signer #1 certificate DN: CN=Niels Mathea, OU=IT Betrieb Bank, O=DKB Service GmbH, L=Potsdam, ST=Brandenburg, C=DE Signer #1 certificate SHA-256 digest: e5067dca4553173a1dd76352a8287b293960119689244ac58d0552703efe4268 Signer #1 certificate SHA-1 digest: b4199718eaa0e676755af77419fb59abf7fece00 Signer #1 certificate MD5 digest: 0a566744818c6fb89f4c900a1502cf1c Signer #1 key algorithm: RSA Signer #1 key size (bits): 2048 Signer #1 public key SHA-256 digest: d878ba65ddcd7bbd0d9fd284f0bc61762c7ecb83ecb6c58c8c138939fb661f7f Signer #1 public key SHA-1 digest: dbf739ed124f07181b3cdd1867bdd0eb63da3d71 Signer #1 public key MD5 digest: 94fcb9a87a8ec48eed706456a93ab0cd WARNING: META-INF/androidx.customview_customview.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/. [...] Version 2 from Apkpure: 819 Files, 21 Folders, 25.118.159 bytes C:\Users\...\Desktop>java -jar apksigner.jar verify --verbose --print-certs "DKB TAN2go_v2.7.3_apkpure.com.apk" Verifies Verified using v1 scheme (JAR signing): true Verified using v2 scheme (APK Signature Scheme v2): true Verified using v3 scheme (APK Signature Scheme v3): false Verified using v4 scheme (APK Signature Scheme v4): false Verified for SourceStamp: false Number of signers: 1 Signer #1 certificate DN: CN=Niels Mathea, OU=IT Betrieb Bank, O=DKB Service GmbH, L=Potsdam, ST=Brandenburg, C=DE Signer #1 certificate SHA-256 digest: e5067dca4553173a1dd76352a8287b293960119689244ac58d0552703efe4268 Signer #1 certificate SHA-1 digest: b4199718eaa0e676755af77419fb59abf7fece00 Signer #1 certificate MD5 digest: 0a566744818c6fb89f4c900a1502cf1c Signer #1 key algorithm: RSA Signer #1 key size (bits): 2048 Signer #1 public key SHA-256 digest: d878ba65ddcd7bbd0d9fd284f0bc61762c7ecb83ecb6c58c8c138939fb661f7f Signer #1 public key SHA-1 digest: dbf739ed124f07181b3cdd1867bdd0eb63da3d71 Signer #1 public key MD5 digest: 94fcb9a87a8ec48eed706456a93ab0cd WARNING: META-INF/androidx.customview_customview.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/. [...] Version 3 from Aptoide: 777 Files, 21 Folders, 25.059.540 bytes C:\Users\EPI-SMLM\Desktop>java -jar apksigner.jar verify --verbose --print-certs com-starfinanz-mobile-android-dkbpushtan-30049-59302957-c297d2d2df90587173f6f8b78fce939d.apk Verifies Verified using v1 scheme (JAR signing): true Verified using v2 scheme (APK Signature Scheme v2): true Verified using v3 scheme (APK Signature Scheme v3): false Verified using v4 scheme (APK Signature Scheme v4): false Verified for SourceStamp: false Number of signers: 1 Signer #1 certificate DN: CN=Niels Mathea, OU=IT Betrieb Bank, O=DKB Service GmbH, L=Potsdam, ST=Brandenburg, C=DE Signer #1 certificate SHA-256 digest: e5067dca4553173a1dd76352a8287b293960119689244ac58d0552703efe4268 Signer #1 certificate SHA-1 digest: b4199718eaa0e676755af77419fb59abf7fece00 Signer #1 certificate MD5 digest: 0a566744818c6fb89f4c900a1502cf1c Signer #1 key algorithm: RSA Signer #1 key size (bits): 2048 Signer #1 public key SHA-256 digest: d878ba65ddcd7bbd0d9fd284f0bc61762c7ecb83ecb6c58c8c138939fb661f7f Signer #1 public key SHA-1 digest: dbf739ed124f07181b3cdd1867bdd0eb63da3d71 Signer #1 public key MD5 digest: 94fcb9a87a8ec48eed706456a93ab0cd WARNING: META-INF/androidx.customview_customview.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/. [...] There is a long list of warnings coming with each APK. Also, as indicated in the comments, Aptoide provided the wrong APK - file size and number of contained files/folders have been updated. Anyone know what to make of this output?