Unclear this is affecting Android app repos. Doesn't look like it, I only see Python scripts in the source articles. I wouldn't worry about this even if there is knowledge this effects Android app repositories.

Someone getting their apps outside of an app store like from GitHub MUST do their due diligence, people should see that the GitHub repository they get their apps from is the authentic repo by the real developer. This is just a dependency confusion attack where a threat actor posts an app or library using the same name as a popular one to confuse people into downloading their malicious one.

Obtainium is not our app, nor is it the best source for apps. Obtainium lacks ability to secure initial install of apps and you rely on the Android Trust-on-First-Use model that apps can only be updated if they are signed by the same developer key that the initial install has. You rely entirely on your trust and research that the apps you get are the authentic ones when you install them the first time. App stores like Accrescent (accrescent.app) pin signing keys and verify app installs so you don't have to do that. Some apps may also let you verify in other ways too.

If people check their apps first this is not an issue to anyone. This is just an issue of people being tricked.

Android apps are sandboxed and you should deny a permission for an app to access or do something if you do not like that. If you can't use the app without it and you KNOW it is not necessary then you should maybe consider an alternative app instead. Most trivial Android malware comes down to people just allowing the apps to see what they want.