Threema for Android’s APK files are cryptographically signed by Threema. Android ensures that only updates that have been signed with the same key as the app already existing on the device can be installed. This ensures that no tampered updates can be installed.
If you also want to verify the initial installation, you have to check the public key hash or the certificate hash using apksigner:
$ANDROID_SDK/build-tools/$BUILD_TOOLS_VERSION/apksigner verify --print-certs -v $APK_FILE
Threema uses the following public keys and certificates:
Certificate digest (SHA256):d78daf9601c1b4686f126436b2432b84e7bbc42b3a87381abafac961ac7133ad
Public key digest (SHA256):269d600e1ce7e0a7ffddb18fb92251092938f5be38ea1113e29213564b32cb44
Certificate digest (SHA256):0508b53ff102b538919c834e9e6b6afba046edf67e17ca4d1ce7a4b9c3823741
Public key digest (SHA256):8042eee413093ad651a391da2ac5799ae1744a09fb44056d1fc2f1911a052e39
