Signing your app/APK with a KeyStore file is what allows you to mark your app as yours. What if someone were to reverse engineer your APK though with the KeyStore file? Would the only thing stopping this be knowing the alias and password used for the same key to sign the app? If the alias and password values for the key are not hardcoded in any of the code I guess it would be hard to find these out anyways.
That would only work if the app developer accidentally included a keystore file with the private key in the APK file and the password for accessing the key is so easy that it can be cracked. But by default the keystore containing the APK signing key is not included into the app.
By default the APK signature uses RSA which is an asymmetric algorithm. Which means that someone who has a signed APK can verify the app developer of the APK it but can not sign other APKs using this developer identity.
Of course you can try to break RSA but at the moment Android signing keys use 2048 to 4096 bit, using the best known algorithm for factorizing an RSA key even a super computer would require more years that the key is valid (usually 20-30 years).