That's the fun part!

By making sure (as much as you possibly could) the source you got it from is safe.

You'll reduce the risk.

I don't. I just consider them compromised and block network connection. Usually that works fine unless it's a ransomware or something..

Apks can be unpacked. There are plenty of offline scanners with high or no size limits too.

There are probably also Android-specific scanners.

Run them in a test sandbox environment, maybe run some network analytics to see if weird outbound or inbound calls start getting made... hope they are not more clever than your sandbox environment.

For APKs specifically... official support for Hypatia from the original team ended last year, but a 'MaintainTeam Organization' seems to be attempting to pick up the slack, and keep updating with new malware signatures.

https://apt.izzysoft.de/fdroid/index/apk/org.maintainteam.hypatia

https://github.com/MaintainTeam/Hypatia

... not sure if its... actually getting regular updates though.

EDIT: derp, yeah

Also, as upstroke says, do a hash comparison from the actual proper source to verify you aren't getting a malformed or spoof version of whatever APK.

Verify their hash signature.

Run the md5.

Of course that only tells you that you got what the author intended, not that what they intended is “safe”

IDK install it on a VM?

What the fuck kind of program is that large?

APK and APKS are just renamed zip files