This usually happens when Google sees a script or URL in your app code that it has previously flagged as malicious. This can happen if any 3rd party library you're using has added a script to their code. I also suggest making sure the credentials for your app are secure.
To move forward from here, I suggest auditing any 3rd party libraries you're using, and consider removing anything not being used. Also take a look at your app code and make sure you recognize every script and URL in your code. In the past I've seen malicious scripts disguised with base64 encoding, so also look for any long strings in your code you don't recognize.
Feel free to PM me more details about the app and I can take a look and see if I can spot anything.
JB | Developer Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Click Accept as Solution