The issues in this timely story came up a number of times today at Tor Dev as a threat model we must take more seriously. Fortunately, thanks to Tor Browser, Lunar, Holger, Hans, Fdroid and others, we are making real progress.
http://arstechnica.com/security/2016/02/most-software-already-has-a-golden-key-backdoor-its-called-auto-update/