WoS are tied to your email address.
As long as you control that, you probably can withdraw in some way. If enough people or funds are affected, they will probably provide some form to withdraw without installing the app.
An apk from a third-party source could be verified by any user with access to the app on the Play Store by checking for compatibility. So imagine I give you the version 4 apk and your friend in Norway can install the version 5 apk from Play Store. He now can install my apk and update it in the play app. If that works, both were signed by the same keys.
You can check the signature without installing it but that's a bit more involved for the layperson.
As long as you control that, you probably can withdraw in some way. If enough people or funds are affected, they will probably provide some form to withdraw without installing the app.
An apk from a third-party source could be verified by any user with access to the app on the Play Store by checking for compatibility. So imagine I give you the version 4 apk and your friend in Norway can install the version 5 apk from Play Store. He now can install my apk and update it in the play app. If that works, both were signed by the same keys.
You can check the signature without installing it but that's a bit more involved for the layperson.