No it cannot be overridden, but you don't need to. Let's jump down to:
can we avoid thisDefinitely. And ideally what you want to be doing is using proxy users. See here for details
https://asktom.oracle.com/pls/apex/asktom.search?tag=proxy-users In this way, when (say) "JOHN" connects, he will be using a session that is connected by "APP_USER" (the common user you were referring to in your question), and you will have access to *both* values (JOHN and APP_USER) for the purpose of auditing etc.
But even without that, the "quick and dirty" workaround is to use a context variable. When people connect to the application, have them do something like:
dbms_session.set_identifier('JOHN');
and then just do a simple find-replace of occurrences in your code of "USER" and replace with "sys_context('USERENV','CLIENT_IDENTIFIER')"
eg
SQL> exec dbms_session.set_identifier('JOHN');
PL/SQL procedure successfully completed.
SQL> select sys_context('USERENV','CLIENT_IDENTIFIER') from dual;
SYS_CONTEXT('USERENV','CLIENT_IDENTIFIER')
-------------------------------------------------
JOHN