Pokémon GO APK file contains malware

As Alexander pointed out in the comments, checking permissions alone is not a reliable way to determine whether an APK is trustworthy or not. Especially not for an app like Pokémon Go, which is going to require a wide array of permissions in any case.

If you are forced to download an app from an unofficial source, one of the smartest things to do is to get it from a trusted source. The best thing would be if you had a real-world friend or family member with a Google Play account linked to a country where the app is released. That person could install the app from Google Play, copy the APK from their phone, and send it to you. This way you know you have a real, untampered APK, just like the original developers distributed it. Obviously, it is not often that you have such a friend, so on to the next option.

Apkmirror.com is run by the same people behind AndroidPolice.com, one of the biggest Android news websites. All uploads are manually vetted and approved, and only free apps are allowed so you won't find any 'cracked' APK or 'warez'.

As you already have the Play Store installed, only an APK signed with the same key as the currently installed version will be able to upgrade the app so this is an extra verification of the APK you download. Therefore, if you download the app from Apkmirror.com you should be safe.

APKmirror use both MD5 and SHA1 and they have gradually built up a solid reputation over years. I'm not aware of any confirmed case of a compromised APK on their site. Of course, it may plausibly still happen, but even the Play Store is not completely safe from all malware. APKmirror manually checks each APK.

Attribution for part of the section on apkmirror.com.