This surprised me too, at first. But on a technical level, it’s not difficult to make this work. Any app has permission to list all the packages you have installed. That’s right - you don’t need any special permissions for this. Surprising, but true. I just tried it myself, and was able to list every package on the system without adding a single permission to a new Android project.
So all TapContext has to do is grab a list of your installed apps, compare it with another list (provided by the antivirus “advertiser”) containing the package names of supposed malware. Then they can show the pretty “antivirus scan” window, which just has to scroll through the list, highlighting malware when it comes up.
This does raise an important question: is TapContext sending the list of installed apps to the advertiser? Or is the advertiser providing a list of malware, which the SDK compares on the client-side (i.e. without sending anything back to the server)? I’d think that both ways are technically legal (comply with Google Play policies). But sending a list of apps to a third party has significant privacy implications which developers should be made aware of.