I have an app in Google Play. And somebody asks me to sign his empty APK-file with MY keystore, and then send him back. What can he do with my signed apk? Is it safe?
If it is his APK you can not securely guarantee that it is empty or non-malicious, even if it looks like empty.
a) Are they going to distribute a virus signed with your key?
It's not easy to audit an APK against known and unknown vulnerabilities, not only in the compiled code but in every data structure.
I've been reading there is a variant of the "master key" exploit that allows modifying a small signed APK to inject arbitrary code in it. If this happens it's not your fault, they just need a small valid APK (but you probably would not release this in normal conditions).
As a rule of the thumb don't sign stuff for which you don't control up to the latest bit.
b) Can they exploit you or steal your key?
This is harder to imagine. I'd assume no. Unless they own an ugly exploit against your PC.
Again, reverse engineering the code is not enough to protect you, as there might be unknown vulnerabilities hiding anywhere in data structures.