I have 500k active users. My application has been probably hacked. How do I know that? My production versions are 3.x.y But I can see in Firebase statistics that 1% (about a few thousand) users use version 4.0.0. I have never released app with that version. Probably somebody just changed app version and I assume ad ids. He didn't even remove Firebase analytics so I can see that the hacked app is live. I use standard ProGuard obfuscation but as we can see it didn't help.
The question is how to find the place (site, market,..) from where hacked application is downloaded?
If you are fine to update your app, then I would first change my app to read getInstallerpackageName from PackageManager, and then record it via Firebase analytics.
If the result of this is com.android.vending it was installed from Google Play, otherwise it will be the program that installed your app. If this is another app store then great, you have found it.
If the result is something like a web browser then it is harder as the user got the app from a website. Then your best option is Google searching. The normally easiest way is include your app name and the word "APK". This tends to find most sites serving your app. You could even search for your app name, "APK" and "4.0.0" as many website list the version code on the page.