When sourcing .apk files from 3rd party sites such as [APK Mirror](https://www.apkmirror.com/) or [APK Pure](https://apkpure.com/) , is there a way to verify whether said files are tampered with, from a potential malware inclusion point of view?
As an example, let's analyze [this YouTube package](https://www.apkmirror.com/apk/google-inc/youtube/youtube-18-45-43-release/youtube-18-45-43-android-apk-download/) .
It lists signature(s) and claims they're verified, but what to compare the hashes _against_? How does the community generally navigate this topic?
Asked by laur
(101 rep)
Apr 12, 2025, 01:28 AM
Last activity: May 20, 2025, 03:20 PM
Last activity: May 20, 2025, 03:20 PM