What is the risk here? Presumably Google Play would not accept an apk that was signed by "android", right? Assuming that is not the case, the only risk would be installing apks from alternative sources, like F-Droid, who should probably check for strange signings, too, IMHO.
Or there is "something else", some sort of bullshit that goes over the baseband, where updates cannot be refused (other than to put your device in airplane mode, or off) and now because the "platforms" couldn't protect their private keys from malefactors, kids with SDRs are going to effortlessly pown people's phones by pushing their own software over a possible, nay probable, proprietary baseband channel.
(Tangential scifi rant: And then you add the risk of manufacturer shenanigans at the PCB or chip-image level, and you can't really do due diligence on chips without your own electron microscope (and possibly not even then). I've had this worried thought with software, too, that there is too much complexity to really understand it. In the same way our computer hardware is actually too hard for any one person to understand "completely" - that is, possess the skill-set of every individual contributor on the engineering team of a company that makes smartphones.)
What is "signed by Android"? The leaked Samsung and LG keys are used in dozens of apps. Someone could in theory upload apps but claimed by Samsung on the Play Store, sign them with those keys, and compromise millions of users whose Play Store would suddenly update to the unofficial APKs (assuming that they get around Google's own Play Protect).
I assume (hope) that Google is smart enough to check for these vendor signatures, and possibly tie them to a specific vendor account.
With the switch to aab app bundles (https://android-developers.googleblog.com/2020/11/new-androi...), it's effectively impossible for most people to upload custom APKs to the Play Store anyway. I'm sure there are backdoor and special treatment for vendor applications to keep their signatures.
In fact, with the exception of private applications, Google requires you to hand over your signing keys when you upload to the play store. I doubt you'd get away with just uploading vendor keys to the Play Store console.
Where do you see that Google requires you to hand over the signing keys? That's one of the options, but you can also sign and then upload a signed apk.
Since 2011, GPlay requires you to use Play Signing. You can have Google generate the keys or you can upload your own keys, but the private key ends up with Google.
You can create a key pair for uploading artifacts (the "upload key") for which you only need to upload the public key, but the signing keys need to end up over at Google.
Older apps (uploaded before August 2021) are exempt, though. Apps distributed through other channels (F-Droid, Amazon App Store, etc.) are also exempt, of course.
Ah, so having to upload the key is new as of Aug 2021. If Google is indeed smart about it, they'd have blocked these compromised keys from being used by developers other than the whitelisted ones.
Or there is "something else", some sort of bullshit that goes over the baseband, where updates cannot be refused (other than to put your device in airplane mode, or off) and now because the "platforms" couldn't protect their private keys from malefactors, kids with SDRs are going to effortlessly pown people's phones by pushing their own software over a possible, nay probable, proprietary baseband channel.
(Tangential scifi rant: And then you add the risk of manufacturer shenanigans at the PCB or chip-image level, and you can't really do due diligence on chips without your own electron microscope (and possibly not even then). I've had this worried thought with software, too, that there is too much complexity to really understand it. In the same way our computer hardware is actually too hard for any one person to understand "completely" - that is, possess the skill-set of every individual contributor on the engineering team of a company that makes smartphones.)