Is there a way for a signature to be spoofed?

Yes, it's possible, but it's cryptographically hard. Signatures involve multiple steps:

1. Hash the application/message/whatever to produce a digest


2. Sign the digest with a key such that the signature can be verified using publicly available information.

Cryptographic hash functions are specifically designed to have collision resistance properties to prevent someone from finding multiple inputs that hash to the same output. By specifying that the original signature be maintained, you are asking about what is called the hash function's weak collision resistance, whether it is difficult to find a collision for a specific input. This is weak in the sense that it is easier to achieve than strong collision resistance, which is a measure of the difficulty of finding any collision between any inputs.

For a perfect cryptographic hash function, you can do no better than try random inputs (or malware + random element) in the hopes of generating a collision. The probability of doing this is 1/2^n for one attempt, where n is the number of bits in the hash output. For large n, the amount of time it would take to have a reasonable chance of finding a collision is astronomical even with nation-level computing resources available.

For any real cryptographic hash function, there is the chance that very smart people in the future will find a systematic way of finding collisions. This is when people stop using the hash function (for example, MD5) for secure applications and replace it with more secure alternatives.

In short, this is not something you should worry about, unless the signatures are found to be using broken hash functions.