Android APK security model is pretty apt for using mirrors - what you need is a trusted directory of known-good mapping of appid to signing developer key fingerprint to cover for trust on first use when installing - plus handling key revocation.

Mirrors publish the fingerprints, but it's unclear what verification they applied. Looking at history won't cover revocation, but it's already something. Certificate transparency logs could handle apks instead of domains too.

I understand the appeal of Aurora and similar - you let Google handle search, malware takedown and download traffic, but then you're also up to be cut off at no notice.