You may recall all the kerfuffle about the possible vulnerability found by security group Blue Security that allowed malicious apps to circumvent the app verification process. So it can change the contents of an app while leaving a pre-existing app signature intact. The harm being that a well known app could be changed by hackers and side-loaded onto peoples Android devices allowing them to run any malicious code they’ve added into it.
Thankfully this hasn’t turned into a widespread issue, with Samsung already patching the problem on their devices. Google on their part have announced that they provided OEMs between February and April with a fix for the vulnerability affecting Android 1.6 through to current versions, which although it may not even make it to end-users devices, does cover Google from any backlash.
Google did say that they’ve not seen any use of this exploit via their scanning on Google Play and the verification of apps that are side-loaded onto devices.