What prevents Google from replacing Signal on the Android Application store with their custom and backdoored version ? Can we check a hash or something ? Does the signal foundation do that on a regular basis ?
If Google wanted to read your messages and were willing to use malware to do it, there’s little to stop them on Android. Even if Signal checked the apk regularly, there’s no guarantee that the apk served to them is the same one served to everyone else. They could also push an update to the OS that recognizes the Signal apk and applies a patch after downloading but before installing.
That said, Signal does apparently support reproducible builds so that people can check that the apk matches what’s on GitHub (though this is more of a way to detect malfeasance on Signal’s part rather than Google’s)
Signal is signed with a key that's held by Signal, not Google. Android won't install app updates unless they're signed with the same key as the currently installed version.
There's nothing stopping Google from silently pushing a keylogger to your phone and recording every single thing you do. They don't need to hijack Signal or anything else for that. By using your phone you are implicitly trusting Google, the manufacturer and several other parties.
That said, Signal does apparently support reproducible builds so that people can check that the apk matches what’s on GitHub (though this is more of a way to detect malfeasance on Signal’s part rather than Google’s)
https://signal.org/blog/reproducible-android/