• until they get forced to issue an update that steals your key.

    assuming you installed the app from google play.
    since for a few years now google holds the signing keys that are used for verifying that the app has not been tampered with, the app developer is not even needed for this. google can make the changes, sign the app with the key they already have, and push an update to your phone.