alt Hacker NewsWhilst the play store supposedly scans all apps for malicious behaviour, it's pretty easy to detect the test environment they use for testing and make malicious behaviour only trigger in situations Google doesn't test - eg. 5 days after installation, only if the device IP address changes at least once.
I'd imagine the dalvik part to be pretty open to static analysis?
On the desktop JVM, I've seen bytecode that decompiled to a form more readable than the original source I got access to later...