The hacker version you created is overwriting your real app because you compiled the hacker version with the same copy of B4A which used the same Private Signing Key as your real version. So, because the signing keys are the same between the two APK's, Android allowed the hacker app to overwrite the real version. However, this wont happen in real life with an APK created by a hacker because a hacker will NOT have a copy of your private signing key, so they won't be able to create an APK that will be able to overwrite your app because android won't allow it because the signing keys won't match.
You can access your private signing key from the B4A IDE "Tools" menu.... "Private Sign Key". WARNING: Do NOT try to change the private signing key in B4A to simulate creating a hacker version of your app because if you don't know what you are doing and don't save your existing/original private key that you have been using all this time, then you will loose your original private key and this can cause you a bunch of problems with releasing new versions of ALL your apps because you will no longer be able to compile APKs that use the original private key because you lost/changed it, so any updates of your apps won't be able to overwrite any existing versions.