It looks like there's two problems at the OAuth level. First, Google issued client credentials to a bad actor, and second, the client app is allowed to show "display" information that can spoof real information without any checking. There may be some whizzy technical solutions around the second problem, maybe with software statements and digital signatures over what can be displayed.
UMA is susceptible to this at stages where it relies on OAuth for (typically one-time/long-term) trust establishment, such as PAT issuance among the RO, AS, and RS, and also wherever the AS does interactive claims gathering using OAuth-based flows. Non-OAuth-based flows, such as SAML, presumably could be susceptible to the same problem. (Years ago I had thought InfoCard had some built-in way to secure "display names" from spoofing, but subsequently couldn't find it...)