Steps to reproduce the problem:
1.  set the switch in Settings - Security Unknown sources true;
2. build and make an unsafe Android app which has the same packageName as the official app(Obviously this fake app's signature is different from the official one);
3. Common user installs the fake app  instead of the official app;
4. Through the intent for chrome, chrome jumps to the fake app

What is the expected behavior?
if the app is not official , then chrome shouldn't jump to it through the intent in the website;

What went wrong?
At present , Chrome only supports  verifying with the packageName in intent , rather than the signature of the app, this step is not safe.
Obviously , chrome should and also is willing to make itself safe, such as App link introduced in Android 6.0 system, which is only supporting the https condition.

Did this work before? Yes In China Android market, since Android 4.x, this trick is popular, it happens all the time. 

Chrome version: 51.0.2704.103  Channel: stable
OS Version: 6.0
Flash Version: Shockwave Flash 22.0 r0

In China, most users couldn't access the service of Google Play Store, so they can only get and install app via USB or downloading  from internet, which can't verify the app safe and official.I think this issue may occur in other countries .