Google have greatly ramped up their efforts. It used to be that they audited apps to make sure the in-app purchases were going through them, but now they've updated Android policies a lot to cater for security violations. File access has been limited, similar to iOS. You now need permission to access things like locations from maps. Camera, mic, every thing that shady companies like FB did in the background and now much more highly restricted.
I don't think you can really audit code. It would be a complete pain to audit something built in Cordova; even a Hello World hybrid app is a nightmare. They have some nifty performance tracking, though.
Let me paste a few that they track: Excessive wake-ups, Stuck partial wake locks, Excessive background Wi-Fi scans, Excessive background network usage, ANR/Crash rate, Excessive slow/frozen frames, Permission denials.
They also give notifications on what can be done to improve both security and performance. They notify things that increase or decrease ratings - majorly punishments to rating for things like overheating or privacy concerns, but minor bonuses for people who say things like "nice update".
Also there were rumors that apps that didn't meet these guidelines would have their ratings punished. I noticed a sharp drop in search rank once when I had a viral spike in uploads, likely because the ASO algorithm watched it as buying downloads/reviews, but it recovered the position after a few weeks.
They enforce a rigorous review process of all app builds, of course. (it's hard to say this with a straight face)