As long as the app isn't verified like for example, Google Play Store verified those applications that is legit and have Verified protect on the page where you'll install the app.
This still isn't a guarantee. The Google account responsible for submitting new version nof the app to the play store could be compromised and result in a malicious app being uploaded. A Google employee could swap in their own malicious wallet app in order to steal funds. You could suffer a man in the middle attack and be redirected to malware despite clicking on the real app. Google could give the "verified" status to a malicious app by mistake.
The best way to make sure you have downloaded the real app published by ThomasV is it verify it against his public key. The only absolute guarantee you are installing what you think you are is to manually review all the code and build it yourself, but obviously most people do not have the knowledge required to do this.