if the application has a sizeable user base, there will be users (most likely contributors) who will discover the change, they have about 1 day, but many FDroid users rarely update repositories, so more than 1 day. Malicious functionality in builds can go unnoticed for years.