This seems like such a common occurrence, not only with android apps but anything with auto updates. It seems like the only solution right now is to purely limit yourself to apps from f-droid. Not necessarily because open source is resistant to this, but because no spammer would bother attacking such a small group.
a non-perfect solution of mine - update only android apps that actually make sense, or author is Google. There is no reason my simple calculator app should get an update every few weeks (since nothing visibly changed in it for last X years), or linkedin having almost weekly updates.
