Android does verify that any new versions of an APK are signed with the same signing key as previously installed versions. So you would have to compromise the signing key held by the developer in order to push an evil APK.