In some cases, the mistake is a simple one: you are not really scanning app code. AV comparatives have found that only whitelists or blacklists are used by apps, and sometimes very broad ones. While they allow all apps whose package files begin with com.instagram, it would be trivial to create malicious apps that used a variant for that name.
The apps that passed the app came from well-known security brands, with big names like AVG, Kaspersky, McAfee, and Symantec knowing everything. Those who failed, however, had a familiar pattern. Many of them have been written by amateurs, cookie cutter apps, or companies that are obviously not focused on security. Anti-malware apps from 32 test providers have disappeared in the two months since the test in January.
It's safe to say that this is the reminder of company antivirus tools with a solid track record. However, this also demonstrates the challenge that Google and other store operators face with screening apps. While you can verify that the apps do no harm to users or violate applicable law, they can not achieve the quality required to secure your phone.