Firstly, Android checks app signatures and as far as I know the market app doesn't have any ability to override that. It can do a few privileged things like skip showing the permissions screen, but I think the OS still wants to see correct signatures. So even if the app store was hacked the phone itself might reject a bogus upgrade.
Secondly, that slide is more like some junior GCHQ guy noodling around, I think. It is old and dates from a time before Google used SSL for everything. I doubt it's possible to do via purely technical attacks now.
Thirdly, it'd almost certainly be easier to attack the developer laptop/workstation to steal the signing keys directly than attack Android head on. I plan to do some research this summer into splitting the RSA signing keys used by Android apps to allow for threshold signed online updates for Android and maybe iOS.
The only way to change the signing key for an app (on an unrooted phone at least) is by completely uninstalling it (which deletes the main data directory) and then installing a new version. In fact, Google lost the key for their OTP authenticator app at one point, requiring all users to install the new app manually before they would receive updates again.
Firstly, Android checks app signatures and as far as I know the market app doesn't have any ability to override that. It can do a few privileged things like skip showing the permissions screen, but I think the OS still wants to see correct signatures. So even if the app store was hacked the phone itself might reject a bogus upgrade.
Secondly, that slide is more like some junior GCHQ guy noodling around, I think. It is old and dates from a time before Google used SSL for everything. I doubt it's possible to do via purely technical attacks now.
Thirdly, it'd almost certainly be easier to attack the developer laptop/workstation to steal the signing keys directly than attack Android head on. I plan to do some research this summer into splitting the RSA signing keys used by Android apps to allow for threshold signed online updates for Android and maybe iOS.