Comment by DoctorOW
3 months ago
> To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates)
I'm curious if this is the best idea? Like, if you don't read all the GitHub releases thoroughly or miss the HN material, and instead you just auto-install updates, you downloaded a malware-infested version which will be on your device until you learn otherwise?
At this point, Play Protect will remove the apks with the old signature because the developer marked the old signature as compromised. The developer acted correctly and responsibly in doing so, and seems to be working out establishing a new setup now, including a new signing key.
For those using sketchy devices without Play Protect and also installing random apks without an understanding of security or Android's trust-on-first-use model, there's not much anyone can do.