According to the professor, Google's shortcoming mostly comes from a relatively skin-deep routine that checks the SHA-1 value and install package name, not underlying code that's tougher to change.
ENGADGET: Android 4.2 App Verification Service tested, found no substitute for full anti-malware tools