Comment by sfRattan

At this point, Play Protect will remove the apks with the old signature because the developer marked the old signature as compromised. The developer acted correctly and responsibly in doing so, and seems to be working out establishing a new setup now, including a new signing key.

For those using sketchy devices without Play Protect and also installing random apks without an understanding of security or Android's trust-on-first-use model, there's not much anyone can do.