> I think Android is designed such that even the Play Store cannot replace an installed app with a differently signed one.
They can’t, however Google have recently changed the requirements for submitting an application to the Play Store. You now need to hand over your application signing key. Instead of signing the application to prove authenticity to Android devices then giving it to Google to host, you now sign the application to provide authenticity to Google, and then Google re-signs it with the key you gave them to prove authenticity to Android devices.
So if Google want to provide an alternative binary to a specific person, they can now do that.
They can’t, however Google have recently changed the requirements for submitting an application to the Play Store. You now need to hand over your application signing key. Instead of signing the application to prove authenticity to Android devices then giving it to Google to host, you now sign the application to provide authenticity to Google, and then Google re-signs it with the key you gave them to prove authenticity to Android devices.
So if Google want to provide an alternative binary to a specific person, they can now do that.