ZGrapheneOS a MITM with an altered version but the same base hash signature
APKs are cryptographically signed. The system package manager pins this signature to ensure that all updates have the same signature to guard against altered malicious updates. The hash of these signatures can be used to verify you have a genuine apk before installation or to check you have the genuine app after installation.
Theres a GrapheneOS community member whos made an app to help check these hashes.
https://github.com/soupslurpr/AppVerifier
Theres also been recent work towards having these hashes checked against a list of common apps by GrapheneOS.
If you want to have control over ability for your children to install apps easiest approach is to set them up a secondary user profile to use and then turn off the ability to install apps in that user profile via multiple user settings in the owner user. This way the apps they use are isolated away from your files, media, contacts.
Due to the strong protections in Android malicious apps tend to fool the user into granting them permissions. A few target known vulnerabilities in older versions of android that are no longer getting updates as it is common for people to run phones that no longer get updates.
Anti-virus apps on android have limited utility and often flag false positives.