It turns out that the app did not start off with the intent to be malicious. However, it seems that in the latest update to the app, malicious code was snuck in and users who installed the app started noticing weird things happening with their phones. This was initially discovered by user Anon00 and Malwarebytes confirmed it.
Google has since removed the app from the Play Store, but like we said, the fact that it has been installed over 10 million times means that it’s probably a bit late and many users have most likely been infected since. Even if you delete the app, it doesn’t mean that your phone is completely safe. You might need to download a malware removal tool, like those made by Malwarebytes, if you truly wish to clean your phone.
It’s actually kind of scary the fact that it was an app available in the Play Store, and that the malicious code was cleverly hidden to the point where even Google’s systems did not pick it up.