Android doesn't surface app signatures beyond requiring that updates share the same signature while the original is installed. I thought a potential app could exfiltrate data, voice, do crypto mining, act as an unauthorized VPN exit node for commercial VPNs or cyberattacks, etc.