In no world is it excusable to have your ostensible competitor sign your binaries or certificates. They can make all the excuses they want, but it doesn't dissolve their incompetence, and shows they are unfit for running such a user-critical business.
No third party signed their certificates. Just a contracted employee who worked for Tesonet typed in his company name instead of ProtonVPN. That's just the Android keystore, nothing else. Google supports keystore rotation only starting with Android 9.
It's actually not even a contracted employee actually. It was a Proton employee who in 2016 was getting payroll through another company before we had our own corporate entity. Keystore rotation is still not yet available yet in Android, so the old key (which we solely control) can't be changed or modified. Android actually also hashes with the certificate metadata so even that can't be edited separately.
On principle I am not impressed with what happened and I think it's very sloppy. After the Lavabit fiasco we have to be extra scrutinuous about the leadership in privacy-oriented companies. That said, I still have a few accounts with Protonmail and I think the service itself is pretty good.
Besides, the argumentation from that vpnscam website and its followers reminds you of the typical conspiracy retards that follow Trump.