Based on my understanding the android apk signing step is to make sure the apk a user is to install is unmodified. The apk is signed by a private key, however based on my understanding the public key is written right within the same apk file. I wonder how the user can trust the public key and use it to decrypt and verify the apk? Because I were a hacker I could simply get the original apk and modify its content and encrypt it with my own private key and insert my own public key in it so that when the user get this hacked apk he/she should still be able to pass the verification process as the apk is using a valid private and public key pair which is mine?
APK signing works for application update scenarios. You can only update an application with an APK signed with the same key as the original installed app.
Modifying an APK and signing it with another key is certainly possible and it does happen. One hurdle there is distribution: tricking users to install the modified version. Application stores have mechanisms to detect such app modifications or otherwise malicious apps, and the default platform security setting disallows sideloading i.e. installing applications from untrusted sources. These are of course not 100% effective, bad apps do get installed.