and Google Play offers the possibility to distribute an update only to specific e-mail addresses, so if there is a need to compromise users with a malicious update that shows another fingerprint it's really doable (or just copy the messages, like Skype was doing with TOM-Skype).